Security log events

Learn about security log events recorded for your personal account.

About security log events

The name for each audit log entry is composed of a category of events, followed by an operation type. For example, the repo.create entry refers to the create operation on the repo category. The reference information in this article is grouped by categories.

Audit log events

account

account.plan_change: The account's plan changed.
Fields: actor, operation_type, _document_id, user_agent, created_at, actor_id, request_id, @timestamp, user, action, user_id, programmatic_access_type
Reference: How GitHub billing works

actions_cache

actions_cache.delete: A GitHub Actions cache was deleted using the REST API.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, user_id, user, repo_id, repo, org, org_id, actions_cache_id, actions_cache_key, actions_cache_version, actions_cache_scope, action, _document_id, @timestamp, created_at, operation_type, token_scopes, programmatic_access_type, request_access_security_header

artifact

artifact.destroy: A workflow run artifact was manually deleted.
Fields: action, actor, user_agent, actor_id, repo, repo_id, request_id, @timestamp, created_at, _document_id, operation_type, programmatic_access_type

billing

billing.budget_create: A billing budget was created for a business or organization. Includes details about the budget limit, alerting preferences, and recipients.
Fields: actor, actor_id, user_agent, request_id, customer_id, target_amount, target_type, target_id, alert_enabled, status, business, business_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot, pricing_target_type, pricing_target_id, budget_limit_type, alert_recipient_user_ids, exclude_cost_center_usage

billing.budget_delete: A billing budget was deleted for a business or organization. Includes details about the removed budget and any alerting settings.
Fields: actor, actor_id, user_agent, request_id, customer_id, uuid, status, business, business_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot, request_access_security_header

billing.budget_update: A billing budget was updated for a business or organization. Includes details about the updated limit and alerting settings.
Fields: actor, actor_id, user_agent, request_id, customer_id, target_amount, target_type, target_id, alert_enabled, status, business, business_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot, request_access_security_header, old_target_amount, old_budget_limit_type, old_alert_enabled, old_target_id, old_pricing_target_type, old_pricing_target_id

billing.change_billing_type: The way the account pays for GitHub was changed.
Fields: actor_id, user, @timestamp, actor, user_id, action, created_at, operation_type, _document_id, user_agent, request_id
Reference: Managing your payment and billing information

billing.change_email: The billing email address changed.
Fields: actor, operation_type, actor_id, org_id, @timestamp, user_agent, request_id, created_at, _document_id, org, email, action, request_access_security_header
Reference: Managing your payment and billing information

billing.overage_policy_updated: The premium request paid usage policy for your GitHub account was changed.
Fields: actor, actor_id, user_agent, request_id, request_access_security_header, business, business_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot
Reference: /copilot/how-tos/manage-and-track-spending/manage-request-allowances#setting-a-policy-for-paid-usage

billing_customer

billing_customer.azure_subscription_linked: Azure subscription has been linked on this account.
Fields: actor, actor_id, user_agent, request_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type

billing_customer.azure_subscription_unlinked: Azure subscription has been unlinked on this account.
Fields: actor, actor_id, user_agent, request_id, business, business_id, action, _document_id, @timestamp, created_at, operation_type

business

business.security_center_export_code_scanning_metrics: A CSV export was requested on the "CodeQL pull request alerts" page.
Fields: actor, actor_id, user_agent, request_id, business, business_id, user, user_id, query, filename, requested_at, start_date, end_date, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot, request_access_security_header

business.security_center_export_coverage: A CSV export was requested on the "Coverage" page.
Fields: actor, actor_id, user_agent, request_id, business, business_id, user, user_id, query, filename, requested_at, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot, request_access_security_header

business.security_center_export_overview_dashboard: A CSV export was requested on the "Overview Dashboard" page.
Fields: actor, actor_id, user_agent, request_id, business, business_id, user, user_id, query, filename, requested_at, start_date, end_date, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot, request_access_security_header

business.security_center_export_risk: A CSV export was requested on the "Risk" page.
Fields: actor, actor_id, user_agent, request_id, business, business_id, user, user_id, query, filename, requested_at, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot

business.set_actions_cache_retention_policy: The cache retention policy for GitHub Actions was set for an enterprise.
Fields: actor, actor_id, user_agent, request_id, request_access_security_header, name, business, business_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_actions_cache_storage_policy: The cache storage policy for GitHub Actions was set for an enterprise.
Fields: actor, actor_id, user_agent, request_id, request_access_security_header, name, business, business_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_actions_fork_pr_approvals_policy: The policy for requiring approvals for workflows from public forks was changed for an enterprise.
Fields: user_agent, request_id, actor, actor_id, name, policy, business, business_id, action, _document_id, @timestamp, created_at, operation_type
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_actions_private_fork_pr_approvals_policy: The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.
Fields: actor, actor_id, user_agent, request_id, name, policy, business, business_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_actions_retention_limit: The retention period for GitHub Actions artifacts and logs was changed for an enterprise.
Fields: user_agent, request_id, actor, actor_id, name, limit, business, business_id, action, operation_type, @timestamp, created_at, _document_id
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_default_workflow_permissions: The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.
Fields: actor, actor_id, user_agent, request_id, name, business, business_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_fork_pr_workflows_policy: The policy for fork pull request workflows was changed for an enterprise.
Fields: user_agent, request_id, actor, actor_id, name, policy, business, business_id, action, operation_type, @timestamp, created_at, _document_id, request_access_security_header
Reference: Enforcing policies for GitHub Actions in your enterprise

business.set_workflow_permission_can_approve_pr: The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.
Fields: actor, actor_id, user_agent, request_id, name, business, business_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: Enforcing policies for GitHub Actions in your enterprise

checks

checks.auto_trigger_disabled: Automatic creation of check suites was disabled on a repository in the organization or enterprise.
Fields: visibility, user_agent, user, @timestamp, repo, actor_id, user_id, action, created_at, actor, operation_type, request_id, repo_id, _document_id
Reference: /rest/checks#update-repository-preferences-for-check-suites

checks.auto_trigger_enabled: Automatic creation of check suites was enabled on a repository in the organization or enterprise.
Fields: user_agent, request_id, actor, actor_id, visibility, repo, repo_id, user, user_id, action, operation_type, @timestamp, created_at, _document_id, public_repo
Reference: /rest/checks#update-repository-preferences-for-check-suites

checks.delete_logs: Logs in a check suite were deleted.
Fields: @timestamp, actor, actor_id, operation_type, repo_id, action, created_at, _document_id, user_agent, request_id, repo, programmatic_access_type

codespaces

codespaces.allow_permissions: A codespace using custom permissions from its devcontainer.json file was launched.
Fields: user_agent, request_id, actor, actor_id, origin_repository, action, _document_id, @timestamp, created_at, operation_type

codespaces.connect: Credentials for a codespace were refreshed.
Fields: user_agent, request_id, actor, actor_id, repository_id, repository, pull_request_id, user_id, org_id, owner, name, action, operation_type, @timestamp, created_at, _document_id, public_repo, token_scopes, programmatic_access_type, actor_is_bot, machine_type, devcontainer_path

codespaces.create: A codespace was created
Fields: user_agent, request_id, actor, actor_id, repository_id, repository, pull_request_id, owner, name, action, operation_type, @timestamp, created_at, _document_id, token_scopes, programmatic_access_type, actor_is_bot, machine_type, devcontainer_path
Reference: Creating a codespace for a repository

codespaces.destroy: A user deleted a codespace.
Fields: user_agent, request_id, actor, actor_id, repository_id, repository, pull_request_id, owner, name, action, operation_type, @timestamp, created_at, _document_id, token_scopes, programmatic_access_type
Reference: Deleting a codespace

codespaces.export_environment: A codespace was exported to a branch on GitHub.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, owner, action, _document_id, @timestamp, created_at, operation_type, public_repo

codespaces.restore: A codespace was restored.
Fields: user_agent, request_id, actor, actor_id, owner, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type

codespaces.start_environment: A codespace was started.
Fields: actor, actor_id, user_agent, request_id, name, org, owner, pull_request_id, machine_type, user_id, user, devcontainer_path, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header

codespaces.suspend_environment: A codespace was stopped.
Fields: user_agent, request_id, actor, actor_id, owner, action, operation_type, @timestamp, created_at, _document_id, public_repo, token_scopes, programmatic_access_type

codespaces.trusted_repositories_access_update: A personal account's access and security setting for Codespaces were updated.
Fields: user_agent, request_id, actor, actor_id, business, org, org_id, action, operation_type, @timestamp, created_at, _document_id
Reference: Managing access to other repositories within your codespace

copilot

copilot.cfb_seat_added: A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.
Fields: user_agent, request_id, token_id, hashed_token, programmatic_access_type, actor, actor_id, user, user_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, request_access_security_header

copilot.cfb_seat_assignment_created: A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.
Fields: actor, actor_id, user_agent, request_id, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: What is GitHub Copilot?

copilot.cfb_seat_assignment_refreshed: A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.
Fields: user_agent, request_id, hashed_token, programmatic_access_type, actor, actor_id, token_id, token_scopes, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, request_access_security_header

copilot.cfb_seat_assignment_reused: A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.
Fields: actor, actor_id, user_agent, request_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type

copilot.cfb_seat_assignment_unassigned: A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.
Fields: actor, actor_id, user_agent, request_id, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, request_access_security_header

copilot.cfb_seat_cancelled: A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.
Fields: actor, actor_id, user_agent, request_id, user, user_id, action, _document_id, @timestamp, created_at, operation_type, seat_assignment, request_access_security_header

copilot.cfb_seat_cancelled_by_staff: A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.
Fields: actor, actor_id, user_agent, request_id, user_id, user, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id

copilot.swe_agent_repo_disabled: Specific repositories were disabled from using Copilot coding agent.
Fields: actor, org_id, owner_type, actor_id, owner, repo, repo_id, public_repo, org, action, _document_id, @timestamp, created_at, operation_type, business, business_id

copilot.swe_agent_repo_enabled: Specific repositories were enabled to use Copilot coding agent.
Fields: actor, actor_id, user_agent, request_id, request_access_security_header, org_id, owner_type, owner, repo, repo_id, public_repo, org, action, _document_id, @timestamp, created_at, operation_type

copilot.swe_agent_repo_enablement_updated: Copilot coding agent access was updated for the organization's or user's repositories.
Fields: actor, actor_id, user_agent, request_id, request_access_security_header, new_access, old_access, org_id, owner_type, owner, org, action, _document_id, @timestamp, created_at, operation_type

dependabot_alerts

dependabot_alerts.disable: Dependabot alerts were disabled for all existing repositories.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories

dependabot_alerts.enable: Dependabot alerts were enabled for all existing repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories

dependabot_alerts_new_repos

dependabot_alerts_new_repos.disable: Dependabot alerts were disabled for all new repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added

dependabot_alerts_new_repos.enable: Dependabot alerts were enabled for all new repositories.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added

dependabot_closure_request

dependabot_closure_request.approve: Dismissal of Dependabot alerts was approved.
Fields: actor, actor_id, user_agent, request_id, request_access_security_header, number, alert_number, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot
Reference: /code-security/dependabot/dependabot-alerts/about-dependabot-alerts

dependabot_closure_request.cancel: Dismissal request for Dependabot alerts was canceled.
Fields: actor, actor_id, user_agent, request_id, request_access_security_header, number, alert_number, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot
Reference: /code-security/dependabot/dependabot-alerts/about-dependabot-alerts

dependabot_closure_request.create: Dismissal of Dependabot alerts was requested.
Fields: actor, actor_id, user_agent, request_id, request_access_security_header, number, alert_number, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot
Reference: /code-security/dependabot/dependabot-alerts/about-dependabot-alerts

dependabot_closure_request.deny: Dismissal of Dependabot alerts was denied.
Fields: actor, actor_id, user_agent, request_id, request_access_security_header, number, alert_number, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot
Reference: /code-security/dependabot/dependabot-alerts/about-dependabot-alerts

dependabot_repository_access

dependabot_repository_access.repositories_updated: The repositories that Dependabot can access were updated.
Fields: user_agent, request_id, actor, actor_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id

dependabot_security_updates

dependabot_security_updates.disable: Dependabot security updates were disabled for all existing repositories.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization

dependabot_security_updates.enable: Dependabot security updates were enabled for all existing repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id

dependabot_security_updates_new_repos

dependabot_security_updates_new_repos.disable: Dependabot security updates were disabled for all new repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization

dependabot_security_updates_new_repos.enable: Dependabot security updates were enabled for all new repositories.
Fields: user_agent, request_id, actor, actor_id, user, user_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id

dependency_graph

dependency_graph.disable: The dependency graph was disabled for all existing repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization

dependency_graph.enable: The dependency graph was enabled for all existing repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id

dependency_graph_new_repos

dependency_graph_new_repos.disable: The dependency graph was disabled for all new repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id
Reference: /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization

dependency_graph_new_repos.enable: The dependency graph was enabled for all new repositories.
Fields: user_agent, request_id, actor, actor_id, created_at, user, user_id, org, org_id, action, operation_type, @timestamp, _document_id, request_access_security_header

environment

environment.add_protection_rule: A GitHub Actions deployment protection rule was created via the API.
Fields: user_agent, request_id, actor, actor_id, name, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, programmatic_access_type, request_access_security_header
Reference: Managing environments for deployment

environment.create_actions_secret: A secret was created for a GitHub Actions environment.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, key, visibility, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id, public_repo, token_scopes, programmatic_access_type, request_access_security_header
Reference: Managing environments for deployment

environment.create_actions_variable: A variable was created for a GitHub Actions environment.
Fields: actor, actor_id, user_agent, request_id, key, visibility, environment_name, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, business, business_id, actor_is_bot, request_access_security_header
Reference: Store information in variables

environment.delete: An environment was deleted.
Fields: user_agent, request_id, actor, actor_id, name, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, token_scopes, programmatic_access_type, actor_is_bot, request_access_security_header
Reference: Managing environments for deployment

environment.remove_actions_secret: A secret was deleted for a GitHub Actions environment.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, key, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, business, business_id, public_repo, token_scopes, request_access_security_header
Reference: Managing environments for deployment

environment.remove_actions_variable: A variable was deleted for a GitHub Actions environment.
Fields: actor, actor_id, user_agent, request_id, key, environment_name, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: Store information in variables

environment.remove_protection_rule: A GitHub Actions deployment protection rule was deleted via the API.
Fields: user_agent, request_id, actor, actor_id, name, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, request_access_security_header
Reference: Managing environments for deployment

environment.update_actions_secret: A secret was updated for a GitHub Actions environment.
Fields: user_agent, request_id, actor, actor_id, oauth_application_id, key, visibility, repo, repo_id, org, org_id, action, operation_type, @timestamp, created_at, _document_id, public_repo, programmatic_access_type, request_access_security_header
Reference: Managing environments for deployment

environment.update_actions_variable: A variable was updated for a GitHub Actions environment.
Fields: actor, actor_id, user_agent, request_id, key, visibility, environment_name, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type, request_access_security_header
Reference: Store information in variables

environment.update_protection_rule: A GitHub Actions deployment protection rule was updated via the API.
Fields: user_agent, request_id, actor, actor_id, repo, repo_id, org, org_id, action, @timestamp, _document_id, new_value, approvers_was, approvers, programmatic_access_type, can_admins_bypass, prevent_self_review
Reference: Managing environments for deployment

gist

gist.create: A gist was created.
Fields: request_id, user_id, user, gist_id, @timestamp, created_at, operation_type, user_agent, actor, actor_id, visibility, action, _document_id, token_scopes, programmatic_access_type

gist.destroy: A gist was deleted.
Fields: user_id, gist_id, visibility, created_at, _document_id, user, request_id, operation_type, actor, actor_id, action, user_agent, @timestamp, programmatic_access_type

gist.visibility_change: The visibility of a gist was updated.
Fields: action, operation_type, @timestamp, user_agent, actor, user, gist_id, actor_id, request_id, visibility, user_id, created_at, _document_id, token_scopes, programmatic_access_type

git_signing_ssh_public_key

git_signing_ssh_public_key.create: An SSH key was added to a user account as a Git commit signing key.
Fields: actor, actor_id, user_agent, request_id, title, key, fingerprint, user_id, user, action, _document_id, @timestamp, created_at, operation_type, token_scopes, request_access_security_header
Reference: /authentication/managing-commit-signature-verification/telling-git-about-your-signing-key

git_signing_ssh_public_key.delete: An SSH key was removed from a user account as a Git commit signing key.
Fields: actor, actor_id, user_agent, request_id, title, key, fingerprint, user_id, explanation, user, action, _document_id, @timestamp, created_at, operation_type, token_scopes, request_access_security_header
Reference: /authentication/managing-commit-signature-verification/telling-git-about-your-signing-key

hook

hook.active_changed: A hook's active status was updated.
Fields: user_agent, request_id, actor, actor_id, created_at, name, events, active, active_was, hook_id, repo, repo_id, org, org_id, action, operation_type, @timestamp, _document_id, programmatic_access_type

hook.config_changed: A hook's configuration was changed.
Fields: actor_id, operation_type, @timestamp, _document_id, actor, name, org, user_agent, request_id, hook_id, repo, repo_id, created_at, oauth_application_id, action, events, org_id, token_scopes, programmatic_access_type

hook.create: A new hook was added.
Fields: oauth_application, _document_id, user_agent, actor, actor_id, oauth_application_id, repo_id, request_id, hook_id, events, repo, @timestamp, operation_type, name, action, created_at, org_id, org, token_scopes, programmatic_access_type
Reference: About webhooks

hook.destroy: A hook was deleted.
Fields: actor, events, repo, created_at, org, name, request_id, actor_id, repo_id, org_id, action, operation_type, oauth_application_id, user_agent, hook_id, @timestamp, _document_id, token_scopes, programmatic_access_type

hook.events_changed: A hook's configured events were changed.
Fields: actor, events, repo, operation_type, action, _document_id, actor_id, name, events_were, @timestamp, created_at, hook_id, repo_id, org_id, org, user_agent, request_id, oauth_application_id, token_scopes, programmatic_access_type

integration

integration.create: A GitHub App was created.
Fields: user, action, operation_type, @timestamp, actor, user_agent, actor_id, request_id, name, user_id, _document_id, integration, created_at, programmatic_access_type, request_access_security_header, application_client_id

integration.destroy: A GitHub App was deleted.
Fields: actor, user_id, actor_id, request_id, @timestamp, name, integration, user, _document_id, action, operation_type, created_at, user_agent

integration.manager_added: A member of an enterprise or organization was added as a GitHub App manager.
Fields: created_at, action, _document_id, name, org_id, manager, operation_type, actor, integration, org, @timestamp, actor_id, request_id, user_agent
Reference: /organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization

integration.manager_removed: A member of an enterprise or organization was removed from being a GitHub App manager.
Fields: user_agent, request_id, actor_id, org, operation_type, integration, org_id, _document_id, action, actor, name, created_at, manager, @timestamp
Reference: /organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization

integration.remove_client_secret: A client secret for a GitHub App was removed.
Fields: user_agent, request_id, actor, actor_id, name, integration, user, user_id, action, operation_type, @timestamp, created_at, _document_id, request_access_security_header

integration.revoke_all_tokens: All user tokens for a GitHub App were requested to be revoked.
Fields: user_agent, request_id, actor, actor_id, name, integration, user, user_id, action, operation_type, @timestamp, created_at, _document_id, application_client_id

integration.revoke_tokens: Token(s) for a GitHub App were revoked.
Fields: user_agent, request_id, actor, actor_id, name, integration, user, user_id, action, operation_type, @timestamp, created_at, _document_id, application_client_id

integration.suspend: A GitHub App was suspended.
Fields: actor, actor_id, user_agent, request_id, name, integration, user, user_id, action, _document_id, @timestamp, created_at, operation_type, application_client_id
Reference: /apps/maintaining-github-apps/suspending-a-github-app-installation

integration.transfer: Ownership of a GitHub App was transferred to another user or organization.
Fields: @timestamp, user_id, name, transfer_to_id, user, requester, action, requester_id, actor_id, created_at, _document_id, user_agent, transfer_to, operation_type, request_id, actor, integration, transfer_from, transfer_from_id, transfer_from_type, transfer_to_type
Reference: /apps/maintaining-github-apps/transferring-ownership-of-a-github-app

integration.unsuspend: A GitHub App was unsuspended.
Fields: actor, actor_id, user_agent, request_id, name, integration, user, user_id, action, _document_id, @timestamp, created_at, operation_type, application_client_id
Reference: /apps/maintaining-github-apps/suspending-a-github-app-installation

integration_installation

integration_installation.create: A GitHub App was installed.
Fields: operation_type, @timestamp, name, request_id, repository_selection, user_id, action, user_agent, user, created_at, integration, _document_id, programmatic_access_type, application_client_id
Reference: /apps/using-github-apps/authorizing-github-apps

integration_installation.destroy: A GitHub App was uninstalled.
Fields: @timestamp, request_id, actor, created_at, _document_id, repository_selection, integration, user_id, user, action, operation_type, name, actor_id, user_agent, programmatic_access_type, application_client_id
Reference: /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access

integration_installation.repositories_added: Repositories were added to a GitHub App.
Fields: user_id, repository_selection, name, user, request_id, integration, operation_type, actor_id, action, repositories_added, created_at, _document_id, @timestamp, actor, user_agent, token_scopes, repositories_added_names, programmatic_access_type, actor_is_bot, application_client_id
Reference: /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access

integration_installation.repositories_removed: Repositories were removed from a GitHub App.
Fields: user, operation_type, user_agent, actor, repository_selection, repositories_removed, integration, user_id, created_at, _document_id, request_id, @timestamp, name, action, actor_id, repositories_removed_names, programmatic_access_type, actor_is_bot, application_client_id
Reference: /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access

integration_installation.suspend: A GitHub App was suspended.
Fields: user_agent, request_id, name, repository_selection, actor_id, integration, user, user_id, action, operation_type, @timestamp, created_at, _document_id, request_access_security_header, application_client_id
Reference: /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access

integration_installation.unsuspend: A GitHub App was unsuspended.
Fields: user_agent, request_id, name, repository_selection, actor_id, integration, user, user_id, action, operation_type, @timestamp, created_at, _document_id
Reference: /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access

integration_installation.version_updated: Permissions for a GitHub App were updated.
Fields: integration, user_id, user_agent, name, user, operation_type, actor_id, action, _document_id, request_id, created_at, repository_selection, @timestamp, actor, application_client_id
Reference: /apps/using-github-apps/approving-updated-permissions-for-a-github-app

issue_dependencies

issue_dependencies.blocked_by_add: An issue was marked as blocked by another issue.
Fields: actor, actor_id, user_agent, request_id, request_access_security_header, title, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot

issue_dependencies.blocked_by_remove: The blocked by relationship between an issue and another issue was removed.
Fields: actor, actor_id, user_agent, request_id, request_access_security_header, title, org, repo, repo_id, public_repo, action, _document_id, @timestamp, created_at, operation_type

issue_dependencies.blocking_add: An issue was marked as blocking another issue.
Fields: actor, actor_id, user_agent, request_id, request_access_security_header, title, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot

issue_dependencies.blocking_remove: The blocking relationship between an issue and another issue was removed.
Fields: actor, actor_id, user_agent, request_id, request_access_security_header, title, repo, repo_id, public_repo, org, org_id, action, _document_id, @timestamp, created_at, operation_type, actor_is_bot

Security log events

In this article