Github Audit Logs
GitHub Audit Logs provide a detailed record of actions and events within a GitHub organization or repository. These logs capture information such as user logins, repository changes (e.g., pushes, merges, deletions), permission modifications, and security settings updates. They help administrators track user activity, ensure security compliance, and audit changes for troubleshooting and incident investigation.
Ingest Methods
Github audit logs can be ingested using two separate methods, streaming audit logs where Github will push your logs to a cloud storage account to be ingested by RunReveal, and API polling where RunReveal will use an access token to poll your Github organization for new audit logs every 60 seconds.
Log Streaming
Resource Setup
If you plan to use audit log streaming you will need to setup the necessary resources and permissions for RunReveal to get access.
If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.
arn:aws:sns:<REGION>:253602268883:runreveal_githubGithub Setup
Once the resources and permissions are set for RunReveal you will need to setup Github to send logs to your bucket.
Follow the steps provided in the GitHub documentation to setup streaming for the cloud provider that you are using.
API Polling
When setting up API polling RunReveal will only need two items, the name of the organization that we should be polling audit logs for, and an API token to access your account.
API Token
To generate an API token navigate to the Personal access tokens (classic) page in your GitHub account and click on Generate new token, or follow this link https://github.com/settings/tokens/new
Make sure you are under your personal account settings and are logged in with a user that has access to your organizations audit logs. When creating a new token make sure its a classic type. The required permissions are not available for fine grained tokens yet.
Give the token a description and select an expiration for it. When selecting the scopes the only required scope is the read:audit_log.
RunReveal Source Setup
Once all of the other setup steps have been completed you can now log into RunReveal and create the Github source.
Select the ingest method that you are using and fill in the details for your setup.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: github_logs (75 columns)
github_logs (75 columns)| Column | Type |
|---|---|
timestamp | Unknown |
document_id | Unknown |
action | Unknown |
created_at | Unknown |
operation_type | Unknown |
actor_id | Unknown |
actor_is_bot | Unknown |
actor_country_code | Unknown |
org | Unknown |
org_id | Unknown |
business | Unknown |
business_id | Unknown |
repo | Unknown |
repo_id | Unknown |
repository | Unknown |
repository_id | Unknown |
repository_public | Unknown |
public_repo | Unknown |
visibility | Unknown |
user | Unknown |
user_id | Unknown |
user_agent | Unknown |
hashed_token | Unknown |
token_id | Unknown |
token_scopes | Unknown |
programmatic_access_type | Unknown |
external_identity_nameid | Unknown |
external_identity_username | Unknown |
issuer | Unknown |
pull_request_id | Unknown |
pull_request_title | Unknown |
pull_request_url | Unknown |
review_id | Unknown |
workflow_id | Unknown |
workflow_run_id | Unknown |
event | Unknown |
trigger_id | Unknown |
run_number | Unknown |
| Column | Type |
|---|---|
run_attempt | Unknown |
name | Unknown |
started_at | Unknown |
completed_at | Unknown |
conclusion | Unknown |
head_branch | Unknown |
head_sha | Unknown |
topic | Unknown |
is_hosted_runner | Unknown |
runner_id | Unknown |
runner_name | Unknown |
runner_group_id | Unknown |
runner_group_name | Unknown |
runner_owner_type | Unknown |
job_name | Unknown |
job_workflow_ref | Unknown |
runner_labels | Unknown |
secrets_passed | Unknown |
environment_name | Unknown |
before_sha | Unknown |
after_sha | Unknown |
branch | Unknown |
overridden_codes | Unknown |
reasons | Unknown |
application_name | Unknown |
integration | Unknown |
oauth_application_id | Unknown |
request_method | Unknown |
route | Unknown |
url_path | Unknown |
query_string | Unknown |
request_body | Unknown |
status_code | Unknown |
rate_limit_remaining | Unknown |
request_access_security_header | Unknown |
transport_protocol | Unknown |
transport_protocol_name | Unknown |