Github Audit Logs

GitHub Audit Logs provide a detailed record of actions and events within a GitHub organization or repository. These logs capture information such as user logins, repository changes (e.g., pushes, merges, deletions), permission modifications, and security settings updates. They help administrators track user activity, ensure security compliance, and audit changes for troubleshooting and incident investigation.

Ingest Methods

Github audit logs can be ingested using two separate methods, streaming audit logs where Github will push your logs to a cloud storage account to be ingested by RunReveal, and API polling where RunReveal will use an access token to poll your Github organization for new audit logs every 60 seconds.

Log Streaming

Resource Setup

If you plan to use audit log streaming you will need to setup the necessary resources and permissions for RunReveal to get access.

If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.

arn:aws:sns:<REGION>:253602268883:runreveal_github

Github Setup

Once the resources and permissions are set for RunReveal you will need to setup Github to send logs to your bucket.

Follow the steps provided in the GitHub documentation to setup streaming for the cloud provider that you are using.

API Polling

When setting up API polling RunReveal will only need two items, the name of the organization that we should be polling audit logs for, and an API token to access your account.

API Token

To generate an API token navigate to the Personal access tokens (classic) page in your GitHub account and click on Generate new token, or follow this link https://github.com/settings/tokens/new

Make sure you are under your personal account settings and are logged in with a user that has access to your organizations audit logs. When creating a new token make sure its a classic type. The required permissions are not available for fine grained tokens yet.

Give the token a description and select an expiration for it. When selecting the scopes the only required scope is the read:audit_log.

RunReveal Source Setup

Once all of the other setup steps have been completed you can now log into RunReveal and create the Github source.

Select the ingest method that you are using and fill in the details for your setup.

Schema

The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.

Table: github_logs (65 columns)

Column	Type
`document_id`	String
`action`	String
`created_at`	String
`operation_type`	String
`actor_is_bot`	String
`actor_country_code`	String
`org_id`	String
`business`	String
`business_id`	String
`repo`	String
`repo_id`	String
`repository`	String
`repository_id`	String
`repository_public`	String
`public_repo`	String
`visibility`	String
`user_id`	String
`user_agent`	String
`hashed_token`	String
`token_id`	String
`token_scopes`	String
`programmatic_access_type`	String
`external_identity_username`	String
`issuer`	String
`pull_request_title`	String
`pull_request_url`	String
`review_id`	String
`workflow_run_id`	String
`event`	String
`trigger_id`	String
`run_number`	String
`run_attempt`	String
`name`	String

Column	Type
`started_at`	String
`completed_at`	String
`conclusion`	String
`head_branch`	String
`head_sha`	String
`topic`	String
`runner_id`	String
`runner_name`	String
`runner_group_id`	String
`runner_group_name`	String
`runner_owner_type`	String
`job_name`	String
`job_workflow_ref`	String
`runner_labels`	Raw
`secrets_passed`	Raw
`environment_name`	String
`after_sha`	String
`branch`	String
`overridden_codes`	Raw
`reasons`	Raw
`integration`	String
`oauth_application_id`	String
`request_method`	String
`route`	String
`url_path`	String
`query_string`	String
`request_body`	String
`status_code`	String
`rate_limit_remaining`	String
`request_access_security_header`	String
`transport_protocol`	String
`transport_protocol_name`	String

GitHub Rulesets Insights