Note
This article contains the events that may appear in your user account's security log. For the events that can appear in an organization's audit log or the audit log for an enterprise, see Audit log events for your organization and Audit log events for your enterprise.
About security log events
The name for each audit log entry is composed of a category of events, followed by an operation type. For example, the repo.create
entry refers to the create
operation on the repo
category. The reference information in this article is grouped by categories.
Audit log events
account
account.plan_change
- The account's plan changed.
- Fields
actor
,operation_type
,_document_id
,user_agent
,created_at
,actor_id
,request_id
,@timestamp
,user
,action
,user_id
,programmatic_access_type
- Reference
- /billing/managing-the-plan-for-your-github-account/about-billing-for-plans
actions_cache
actions_cache.delete
- A GitHub Actions cache was deleted using the REST API.
- Fields
user_agent
,request_id
,actor
,actor_id
,oauth_application_id
,user_id
,user
,repo_id
,repo
,org
,org_id
,actions_cache_id
,actions_cache_key
,actions_cache_version
,actions_cache_scope
,action
,_document_id
,@timestamp
,created_at
,operation_type
,token_scopes
,programmatic_access_type
,request_access_security_header
artifact
artifact.destroy
- A workflow run artifact was manually deleted.
- Fields
action
,actor
,user_agent
,actor_id
,repo
,repo_id
,request_id
,@timestamp
,created_at
,_document_id
,operation_type
,programmatic_access_type
billing
billing.change_billing_type
- The way the account pays for GitHub was changed.
- Fields
actor_id
,user
,@timestamp
,actor
,user_id
,action
,created_at
,operation_type
,_document_id
,user_agent
,request_id
- Reference
- Managing your payment and billing information
billing.change_email
- The billing email address changed.
- Fields
actor
,operation_type
,actor_id
,org_id
,@timestamp
,user_agent
,request_id
,created_at
,_document_id
,org
,email
,action
,request_access_security_header
- Reference
- Managing your payment and billing information
business
business.security_center_export_code_scanning_metrics
- A CSV export was requested on the "CodeQL pull request alerts" page.
- Fields
actor
,actor_id
,user_agent
,request_id
,business
,business_id
,user
,user_id
,query
,filename
,requested_at
,start_date
,end_date
,action
,_document_id
,@timestamp
,created_at
,operation_type
,actor_is_bot
,request_access_security_header
business.security_center_export_coverage
- A CSV export was requested on the "Coverage" page.
- Fields
actor
,actor_id
,user_agent
,request_id
,business
,business_id
,user
,user_id
,query
,filename
,requested_at
,action
,_document_id
,@timestamp
,created_at
,operation_type
,actor_is_bot
,request_access_security_header
business.security_center_export_overview_dashboard
- A CSV export was requested on the "Overview Dashboard" page.
- Fields
actor
,actor_id
,user_agent
,request_id
,business
,business_id
,user
,user_id
,query
,filename
,requested_at
,start_date
,end_date
,action
,_document_id
,@timestamp
,created_at
,operation_type
,actor_is_bot
,request_access_security_header
business.security_center_export_risk
- A CSV export was requested on the "Risk" page.
- Fields
actor
,actor_id
,user_agent
,request_id
,business
,business_id
,user
,user_id
,query
,filename
,requested_at
,action
,_document_id
,@timestamp
,created_at
,operation_type
,actor_is_bot
business.set_actions_fork_pr_approvals_policy
- The policy for requiring approvals for workflows from public forks was changed for an enterprise.
- Fields
user_agent
,request_id
,actor
,actor_id
,name
,policy
,business
,business_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
- Reference
- Enforcing policies for GitHub Actions in your enterprise
business.set_actions_private_fork_pr_approvals_policy
- The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.
- Fields
actor
,actor_id
,user_agent
,request_id
,name
,policy
,business
,business_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- Enforcing policies for GitHub Actions in your enterprise
business.set_actions_retention_limit
- The retention period for GitHub Actions artifacts and logs was changed for an enterprise.
- Fields
user_agent
,request_id
,actor
,actor_id
,name
,limit
,business
,business_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- Enforcing policies for GitHub Actions in your enterprise
business.set_default_workflow_permissions
- The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.
- Fields
actor
,actor_id
,user_agent
,request_id
,name
,business
,business_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- Enforcing policies for GitHub Actions in your enterprise
business.set_fork_pr_workflows_policy
- The policy for fork pull request workflows was changed for an enterprise.
- Fields
user_agent
,request_id
,actor
,actor_id
,name
,policy
,business
,business_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,request_access_security_header
- Reference
- Enforcing policies for GitHub Actions in your enterprise
business.set_workflow_permission_can_approve_pr
- The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.
- Fields
actor
,actor_id
,user_agent
,request_id
,name
,business
,business_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- Enforcing policies for GitHub Actions in your enterprise
checks
checks.auto_trigger_disabled
- Automatic creation of check suites was disabled on a repository in the organization or enterprise.
- Fields
visibility
,user_agent
,user
,@timestamp
,repo
,actor_id
,user_id
,action
,created_at
,actor
,operation_type
,request_id
,repo_id
,_document_id
- Reference
- /rest/checks#update-repository-preferences-for-check-suites
checks.auto_trigger_enabled
- Automatic creation of check suites was enabled on a repository in the organization or enterprise.
- Fields
user_agent
,request_id
,actor
,actor_id
,visibility
,repo
,repo_id
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,public_repo
- Reference
- /rest/checks#update-repository-preferences-for-check-suites
checks.delete_logs
- Logs in a check suite were deleted.
- Fields
@timestamp
,actor
,actor_id
,operation_type
,repo_id
,action
,created_at
,_document_id
,user_agent
,request_id
,repo
,programmatic_access_type
codespaces
codespaces.allow_permissions
- A codespace using custom permissions from its devcontainer.json file was launched.
- Fields
user_agent
,request_id
,actor
,actor_id
,origin_repository
,action
,_document_id
,@timestamp
,created_at
,operation_type
codespaces.connect
- Credentials for a codespace were refreshed.
- Fields
user_agent
,request_id
,actor
,actor_id
,repository_id
,repository
,pull_request_id
,user_id
,org_id
,owner
,name
,action
,operation_type
,@timestamp
,created_at
,_document_id
,public_repo
,token_scopes
,programmatic_access_type
,actor_is_bot
,machine_type
,devcontainer_path
codespaces.create
- A codespace was created
- Fields
user_agent
,request_id
,actor
,actor_id
,repository_id
,repository
,pull_request_id
,owner
,name
,action
,operation_type
,@timestamp
,created_at
,_document_id
,token_scopes
,programmatic_access_type
,actor_is_bot
,machine_type
,devcontainer_path
- Reference
- Creating a codespace for a repository
codespaces.destroy
- A user deleted a codespace.
- Fields
user_agent
,request_id
,actor
,actor_id
,repository_id
,repository
,pull_request_id
,owner
,name
,action
,operation_type
,@timestamp
,created_at
,_document_id
,token_scopes
,programmatic_access_type
- Reference
- Deleting a codespace
codespaces.export_environment
- A codespace was exported to a branch on GitHub.
- Fields
user_agent
,request_id
,actor
,actor_id
,oauth_application_id
,owner
,action
,_document_id
,@timestamp
,created_at
,operation_type
,public_repo
codespaces.restore
- A codespace was restored.
- Fields
user_agent
,request_id
,actor
,actor_id
,owner
,repo
,repo_id
,public_repo
,action
,_document_id
,@timestamp
,created_at
,operation_type
codespaces.start_environment
- A codespace was started.
- Fields
actor
,actor_id
,user_agent
,request_id
,name
,org
,owner
,pull_request_id
,machine_type
,user_id
,user
,devcontainer_path
,repo
,repo_id
,public_repo
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
codespaces.suspend_environment
- A codespace was stopped.
- Fields
user_agent
,request_id
,actor
,actor_id
,owner
,action
,operation_type
,@timestamp
,created_at
,_document_id
,public_repo
,token_scopes
,programmatic_access_type
codespaces.trusted_repositories_access_update
- A personal account's access and security setting for Codespaces were updated.
- Fields
user_agent
,request_id
,actor
,actor_id
,business
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- Managing access to other repositories within your codespace
copilot
copilot.cfb_seat_added
- A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.
- Fields
user_agent
,request_id
,token_id
,hashed_token
,programmatic_access_type
,actor
,actor_id
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
,request_access_security_header
copilot.cfb_seat_assignment_created
- A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.
- Fields
actor
,actor_id
,user_agent
,request_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- What is GitHub Copilot?
copilot.cfb_seat_assignment_refreshed
- A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.
- Fields
user_agent
,request_id
,hashed_token
,programmatic_access_type
,actor
,actor_id
,token_id
,token_scopes
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
,request_access_security_header
copilot.cfb_seat_assignment_reused
- A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.
- Fields
actor
,actor_id
,user_agent
,request_id
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
copilot.cfb_seat_assignment_unassigned
- A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.
- Fields
actor
,actor_id
,user_agent
,request_id
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
,request_access_security_header
copilot.cfb_seat_cancelled
- A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.
- Fields
actor
,actor_id
,user_agent
,request_id
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,seat_assignment
,request_access_security_header
copilot.cfb_seat_cancelled_by_staff
- A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.
- Fields
actor
,actor_id
,user_agent
,request_id
,user_id
,user
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
copilot.swe_agent_repo_disabled
- Specific repositories were disabled from using Copilot coding agent.
- Fields
actor
,org_id
,owner_type
,actor_id
,owner
,repo
,repo_id
,public_repo
,org
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
copilot.swe_agent_repo_enabled
- Specific repositories were enabled to use Copilot coding agent.
- Fields
actor
,actor_id
,user_agent
,request_id
,request_access_security_header
,org_id
,owner_type
,owner
,repo
,repo_id
,public_repo
,org
,action
,_document_id
,@timestamp
,created_at
,operation_type
copilot.swe_agent_repo_enablement_updated
- Copilot coding agent access was updated for the organization's or user's repositories.
- Fields
actor
,actor_id
,user_agent
,request_id
,request_access_security_header
,new_access
,old_access
,org_id
,owner_type
,owner
,org
,action
,_document_id
,@timestamp
,created_at
,operation_type
dependabot_alerts
dependabot_alerts.disable
- Dependabot alerts were disabled for all existing repositories.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories
dependabot_alerts.enable
- Dependabot alerts were enabled for all existing repositories.
- Fields
user_agent
,request_id
,actor
,actor_id
,created_at
,user
,user_id
,org
,org_id
,action
,operation_type
,@timestamp
,_document_id
- Reference
- /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories
dependabot_alerts_new_repos
dependabot_alerts_new_repos.disable
- Dependabot alerts were disabled for all new repositories.
- Fields
user_agent
,request_id
,actor
,actor_id
,created_at
,user
,user_id
,org
,org_id
,action
,operation_type
,@timestamp
,_document_id
- Reference
- /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added
dependabot_alerts_new_repos.enable
- Dependabot alerts were enabled for all new repositories.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added
dependabot_repository_access
dependabot_repository_access.repositories_updated
- The repositories that Dependabot can access were updated.
- Fields
user_agent
,request_id
,actor
,actor_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
dependabot_security_updates
dependabot_security_updates.disable
- Dependabot security updates were disabled for all existing repositories.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization
dependabot_security_updates.enable
- Dependabot security updates were enabled for all existing repositories.
- Fields
user_agent
,request_id
,actor
,actor_id
,created_at
,user
,user_id
,org
,org_id
,action
,operation_type
,@timestamp
,_document_id
dependabot_security_updates_new_repos
dependabot_security_updates_new_repos.disable
- Dependabot security updates were disabled for all new repositories.
- Fields
user_agent
,request_id
,actor
,actor_id
,created_at
,user
,user_id
,org
,org_id
,action
,operation_type
,@timestamp
,_document_id
- Reference
- /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization
dependabot_security_updates_new_repos.enable
- Dependabot security updates were enabled for all new repositories.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
dependency_graph
dependency_graph.disable
- The dependency graph was disabled for all existing repositories.
- Fields
user_agent
,request_id
,actor
,actor_id
,created_at
,user
,user_id
,org
,org_id
,action
,operation_type
,@timestamp
,_document_id
- Reference
- /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization
dependency_graph.enable
- The dependency graph was enabled for all existing repositories.
- Fields
user_agent
,request_id
,actor
,actor_id
,created_at
,user
,user_id
,org
,org_id
,action
,operation_type
,@timestamp
,_document_id
dependency_graph_new_repos
dependency_graph_new_repos.disable
- The dependency graph was disabled for all new repositories.
- Fields
user_agent
,request_id
,actor
,actor_id
,created_at
,user
,user_id
,org
,org_id
,action
,operation_type
,@timestamp
,_document_id
- Reference
- /organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization
dependency_graph_new_repos.enable
- The dependency graph was enabled for all new repositories.
- Fields
user_agent
,request_id
,actor
,actor_id
,created_at
,user
,user_id
,org
,org_id
,action
,operation_type
,@timestamp
,_document_id
,request_access_security_header
environment
environment.add_protection_rule
- A GitHub Actions deployment protection rule was created via the API.
- Fields
user_agent
,request_id
,actor
,actor_id
,name
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,programmatic_access_type
,request_access_security_header
- Reference
- Managing environments for deployment
environment.create_actions_secret
- A secret was created for a GitHub Actions environment.
- Fields
user_agent
,request_id
,actor
,actor_id
,oauth_application_id
,key
,visibility
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,business
,business_id
,public_repo
,token_scopes
,programmatic_access_type
,request_access_security_header
- Reference
- Managing environments for deployment
environment.create_actions_variable
- A variable was created for a GitHub Actions environment.
- Fields
actor
,actor_id
,user_agent
,request_id
,key
,visibility
,environment_name
,repo
,repo_id
,public_repo
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
,actor_is_bot
,request_access_security_header
- Reference
- Store information in variables
environment.delete
- An environment was deleted.
- Fields
user_agent
,request_id
,actor
,actor_id
,name
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,public_repo
,token_scopes
,programmatic_access_type
,actor_is_bot
,request_access_security_header
- Reference
- Managing environments for deployment
environment.remove_actions_secret
- A secret was deleted for a GitHub Actions environment.
- Fields
user_agent
,request_id
,actor
,actor_id
,oauth_application_id
,key
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,business
,business_id
,public_repo
,token_scopes
,request_access_security_header
- Reference
- Managing environments for deployment
environment.remove_actions_variable
- A variable was deleted for a GitHub Actions environment.
- Fields
actor
,actor_id
,user_agent
,request_id
,key
,environment_name
,repo
,repo_id
,public_repo
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- Store information in variables
environment.remove_protection_rule
- A GitHub Actions deployment protection rule was deleted via the API.
- Fields
user_agent
,request_id
,actor
,actor_id
,name
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,public_repo
,request_access_security_header
- Reference
- Managing environments for deployment
environment.update_actions_secret
- A secret was updated for a GitHub Actions environment.
- Fields
user_agent
,request_id
,actor
,actor_id
,oauth_application_id
,key
,visibility
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,public_repo
,programmatic_access_type
,request_access_security_header
- Reference
- Managing environments for deployment
environment.update_actions_variable
- A variable was updated for a GitHub Actions environment.
- Fields
actor
,actor_id
,user_agent
,request_id
,key
,visibility
,environment_name
,repo
,repo_id
,public_repo
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- Store information in variables
environment.update_protection_rule
- A GitHub Actions deployment protection rule was updated via the API.
- Fields
user_agent
,request_id
,actor
,actor_id
,repo
,repo_id
,org
,org_id
,action
,@timestamp
,_document_id
,new_value
,approvers_was
,approvers
,programmatic_access_type
,can_admins_bypass
,prevent_self_review
- Reference
- Managing environments for deployment
gist
gist.create
- A gist was created.
- Fields
request_id
,user_id
,user
,gist_id
,@timestamp
,created_at
,operation_type
,user_agent
,actor
,actor_id
,visibility
,action
,_document_id
,token_scopes
,programmatic_access_type
gist.destroy
- A gist was deleted.
- Fields
user_id
,gist_id
,visibility
,created_at
,_document_id
,user
,request_id
,operation_type
,actor
,actor_id
,action
,user_agent
,@timestamp
,programmatic_access_type
gist.visibility_change
- The visibility of a gist was updated.
- Fields
action
,operation_type
,@timestamp
,user_agent
,actor
,user
,gist_id
,actor_id
,request_id
,visibility
,user_id
,created_at
,_document_id
,token_scopes
,programmatic_access_type
git_signing_ssh_public_key
git_signing_ssh_public_key.create
- An SSH key was added to a user account as a Git commit signing key.
- Fields
actor
,actor_id
,user_agent
,request_id
,title
,key
,fingerprint
,user_id
,user
,action
,_document_id
,@timestamp
,created_at
,operation_type
,token_scopes
,request_access_security_header
- Reference
- /authentication/managing-commit-signature-verification/telling-git-about-your-signing-key
git_signing_ssh_public_key.delete
- An SSH key was removed from a user account as a Git commit signing key.
- Fields
actor
,actor_id
,user_agent
,request_id
,title
,key
,fingerprint
,user_id
,explanation
,user
,action
,_document_id
,@timestamp
,created_at
,operation_type
,token_scopes
,request_access_security_header
- Reference
- /authentication/managing-commit-signature-verification/telling-git-about-your-signing-key
hook
hook.active_changed
- A hook's active status was updated.
- Fields
user_agent
,request_id
,actor
,actor_id
,created_at
,name
,events
,active
,active_was
,hook_id
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,_document_id
,programmatic_access_type
hook.config_changed
- A hook's configuration was changed.
- Fields
actor_id
,operation_type
,@timestamp
,_document_id
,actor
,name
,org
,user_agent
,request_id
,hook_id
,repo
,repo_id
,created_at
,oauth_application_id
,action
,events
,org_id
,token_scopes
,programmatic_access_type
hook.create
- A new hook was added.
- Fields
oauth_application
,_document_id
,user_agent
,actor
,actor_id
,oauth_application_id
,repo_id
,request_id
,hook_id
,events
,repo
,@timestamp
,operation_type
,name
,action
,created_at
,org_id
,org
,token_scopes
,programmatic_access_type
- Reference
- About webhooks
hook.destroy
- A hook was deleted.
- Fields
actor
,events
,repo
,created_at
,org
,name
,request_id
,actor_id
,repo_id
,org_id
,action
,operation_type
,oauth_application_id
,user_agent
,hook_id
,@timestamp
,_document_id
,token_scopes
,programmatic_access_type
hook.events_changed
- A hook's configured events were changed.
- Fields
actor
,events
,repo
,operation_type
,action
,_document_id
,actor_id
,name
,events_were
,@timestamp
,created_at
,hook_id
,repo_id
,org_id
,org
,user_agent
,request_id
,oauth_application_id
,token_scopes
,programmatic_access_type
integration
integration.create
- A GitHub App was created.
- Fields
user
,action
,operation_type
,@timestamp
,actor
,user_agent
,actor_id
,request_id
,name
,user_id
,_document_id
,integration
,created_at
,programmatic_access_type
,request_access_security_header
,application_client_id
integration.destroy
- A GitHub App was deleted.
- Fields
actor
,user_id
,actor_id
,request_id
,@timestamp
,name
,integration
,user
,_document_id
,action
,operation_type
,created_at
,user_agent
integration.manager_added
- A member of an enterprise or organization was added as a GitHub App manager.
- Fields
created_at
,action
,_document_id
,name
,org_id
,manager
,operation_type
,actor
,integration
,org
,@timestamp
,actor_id
,request_id
,user_agent
- Reference
- /organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization
integration.manager_removed
- A member of an enterprise or organization was removed from being a GitHub App manager.
- Fields
user_agent
,request_id
,actor_id
,org
,operation_type
,integration
,org_id
,_document_id
,action
,actor
,name
,created_at
,manager
,@timestamp
- Reference
- /organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization
integration.remove_client_secret
- A client secret for a GitHub App was removed.
- Fields
user_agent
,request_id
,actor
,actor_id
,name
,integration
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,request_access_security_header
integration.revoke_all_tokens
- All user tokens for a GitHub App were requested to be revoked.
- Fields
user_agent
,request_id
,actor
,actor_id
,name
,integration
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,application_client_id
integration.revoke_tokens
- Token(s) for a GitHub App were revoked.
- Fields
user_agent
,request_id
,actor
,actor_id
,name
,integration
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,application_client_id
integration.suspend
- A GitHub App was suspended.
- Fields
actor
,actor_id
,user_agent
,request_id
,name
,integration
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,application_client_id
- Reference
- /apps/maintaining-github-apps/suspending-a-github-app-installation
integration.transfer
- Ownership of a GitHub App was transferred to another user or organization.
- Fields
@timestamp
,user_id
,name
,transfer_to_id
,user
,requester
,action
,requester_id
,actor_id
,created_at
,_document_id
,user_agent
,transfer_to
,operation_type
,request_id
,actor
,integration
,transfer_from
,transfer_from_id
,transfer_from_type
,transfer_to_type
- Reference
- /apps/maintaining-github-apps/transferring-ownership-of-a-github-app
integration.unsuspend
- A GitHub App was unsuspended.
- Fields
actor
,actor_id
,user_agent
,request_id
,name
,integration
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,application_client_id
- Reference
- /apps/maintaining-github-apps/suspending-a-github-app-installation
integration_installation
integration_installation.create
- A GitHub App was installed.
- Fields
operation_type
,@timestamp
,name
,request_id
,repository_selection
,user_id
,action
,user_agent
,user
,created_at
,integration
,_document_id
,programmatic_access_type
,application_client_id
- Reference
- /apps/using-github-apps/authorizing-github-apps
integration_installation.destroy
- A GitHub App was uninstalled.
- Fields
@timestamp
,request_id
,actor
,created_at
,_document_id
,repository_selection
,integration
,user_id
,user
,action
,operation_type
,name
,actor_id
,user_agent
,programmatic_access_type
,application_client_id
- Reference
- /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access
integration_installation.repositories_added
- Repositories were added to a GitHub App.
- Fields
user_id
,repository_selection
,name
,user
,request_id
,integration
,operation_type
,actor_id
,action
,repositories_added
,created_at
,_document_id
,@timestamp
,actor
,user_agent
,token_scopes
,repositories_added_names
,programmatic_access_type
,actor_is_bot
,application_client_id
- Reference
- /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access
integration_installation.repositories_removed
- Repositories were removed from a GitHub App.
- Fields
user
,operation_type
,user_agent
,actor
,repository_selection
,repositories_removed
,integration
,user_id
,created_at
,_document_id
,request_id
,@timestamp
,name
,action
,actor_id
,repositories_removed_names
,programmatic_access_type
,actor_is_bot
,application_client_id
- Reference
- /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access
integration_installation.suspend
- A GitHub App was suspended.
- Fields
user_agent
,request_id
,name
,repository_selection
,actor_id
,integration
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,request_access_security_header
,application_client_id
- Reference
- /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access
integration_installation.unsuspend
- A GitHub App was unsuspended.
- Fields
user_agent
,request_id
,name
,repository_selection
,actor_id
,integration
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- /apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access
integration_installation.version_updated
- Permissions for a GitHub App were updated.
- Fields
integration
,user_id
,user_agent
,name
,user
,operation_type
,actor_id
,action
,_document_id
,request_id
,created_at
,repository_selection
,@timestamp
,actor
,application_client_id
- Reference
- /apps/using-github-apps/approving-updated-permissions-for-a-github-app
marketplace_agreement_signature
marketplace_agreement_signature.create
- The GitHub Marketplace Developer Agreement was signed.
- Fields
request_id
,actor
,actor_id
,@timestamp
,_document_id
,user_agent
,operation_type
,created_at
,action
,user
,user_id
,request_access_security_header
marketplace_listing
marketplace_listing.approve
- A listing was approved for inclusion in GitHub Marketplace.
- Fields
secondary_category
,actor
,primary_category
,user
,@timestamp
,_document_id
,user_id
,user_agent
,operation_type
,created_at
,request_id
,actor_id
,marketplace_listing
,integration
,action
marketplace_listing.change_category
- A category for a listing for an app in GitHub Marketplace was changed.
- Fields
primary_category
,user_agent
,request_id
,actor
,marketplace_listing
,@timestamp
,integration
,org_id
,action
,org
,secondary_category
,operation_type
,created_at
,actor_id
,_document_id
marketplace_listing.create
- A listing for an app in GitHub Marketplace was created.
- Fields
primary_category
,_document_id
,user
,created_at
,user_agent
,oauth_application
,action
,request_id
,marketplace_listing
,user_id
,secondary_category
,oauth_application_id
,actor
,actor_id
,operation_type
,@timestamp
marketplace_listing.delist
- A listing was removed from GitHub Marketplace.
- Fields
org
,actor
,actor_id
,user_agent
,request_id
,org_id
,created_at
,secondary_category
,operation_type
,marketplace_listing
,action
,@timestamp
,_document_id
,primary_category
,integration
marketplace_listing.redraft
- A listing was sent back to draft state.
- Fields
_document_id
,secondary_category
,oauth_application_id
,@timestamp
,action
,user_agent
,user_id
,operation_type
,oauth_application
,actor
,created_at
,marketplace_listing
,request_id
,actor_id
,primary_category
,user
marketplace_listing.reject
- A listing was not accepted for inclusion in GitHub Marketplace.
- Fields
user_agent
,request_id
,actor
,actor_id
,primary_category
,secondary_category
,marketplace_listing
,oauth_application
,oauth_application_id
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
migration
migration.create
- A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.
- Fields
repo
,org_id
,_document_id
,org
,repo_id
,action
,actor
,created_at
,operation_type
,@timestamp
,user_agent
,request_id
,actor_id
,token_scopes
,programmatic_access_type
,actor_is_bot
,request_access_security_header
oauth_access
oauth_access.create
- An OAuth access token was generated.
- Fields
_document_id
,operation_type
,user_agent
,actor
,@timestamp
,user
,user_id
,created_at
,action
,actor_id
,request_id
,token_scopes
,programmatic_access_type
,request_access_security_header
,oauth_application_name
- Reference
- /apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens
oauth_access.destroy
- An OAuth access token was deleted.
- Fields
@timestamp
,user_agent
,action
,operation_type
,_document_id
,actor
,created_at
,user
,user_id
,request_id
,explanation
,hashed_token
,actor_id
,token_scopes
,oauth_application_name
- Reference
- /apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps
oauth_access.regenerate
- An OAuth access token was regenerated.
- Fields
user
,user_id
,_document_id
,created_at
,@timestamp
,operation_type
,action
,user_agent
,request_id
,actor
,actor_id
,token_scopes
,programmatic_access_type
,oauth_application_name
oauth_access.revoke
- An OAuth access token was revoked.
- Fields
request_id
,request_access_security_header
,hashed_token
,token_id
,token_scopes
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
oauth_access.update
- An OAuth access token was updated.
- Fields
request_id
,actor_id
,actor
,operation_type
,_document_id
,user_id
,created_at
,action
,@timestamp
,user
,user_agent
,request_access_security_header
oauth_application
oauth_application.create
- An OAuth application was created.
- Fields
org
,created_at
,oauth_application_id
,operation_type
,user_agent
,actor_id
,org_id
,action
,actor
,oauth_application
,@timestamp
,_document_id
,request_id
,request_access_security_header
- Reference
- /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app
oauth_application.destroy
- An OAuth application was deleted.
- Fields
created_at
,oauth_application_id
,user_id
,operation_type
,@timestamp
,user_agent
,oauth_application
,_document_id
,actor
,actor_id
,request_id
,action
,user
,request_access_security_header
- Reference
- /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app
oauth_application.generate_client_secret
- An OAuth application's secret key was generated.
- Fields
user_agent
,request_id
,actor
,actor_id
,oauth_application
,oauth_application_id
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,request_access_security_header
- Reference
- /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app
oauth_application.remove_client_secret
- An OAuth application's secret key was deleted.
- Fields
user_agent
,request_id
,actor
,actor_id
,oauth_application
,oauth_application_id
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,request_access_security_header
- Reference
- /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app
oauth_application.reset_secret
- The secret key for an OAuth application was reset.
- Fields
user
,user_id
,action
,oauth_application
,operation_type
,request_id
,actor_id
,_document_id
,created_at
,actor
,oauth_application_id
,@timestamp
,user_agent
- Reference
- /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app
oauth_application.revoke_all_tokens
- All user tokens for an OAuth application were requested to be revoked.
- Fields
user_agent
,request_id
,actor
,actor_id
,oauth_application
,oauth_application_id
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,request_access_security_header
- Reference
- /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app
oauth_application.revoke_tokens
- Token(s) for an OAuth application were revoked.
- Fields
oauth_application_id
,oauth_application
,actor_id
,user_agent
,@timestamp
,request_id
,user_id
,action
,_document_id
,actor
,user
,created_at
,operation_type
,request_access_security_header
- Reference
- /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app
oauth_application.transfer
- An OAuth application was transferred from one account to another.
- Fields
actor
,operation_type
,created_at
,user_agent
,oauth_application
,actor_id
,oauth_application_id
,@timestamp
,user_id
,_document_id
,request_id
,user
,action
- Reference
- /apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app
oauth_authorization
oauth_authorization.create
- An authorization for an OAuth application was created.
- Fields
operation_type
,user_agent
,user_id
,actor
,org_id
,_document_id
,request_id
,action
,@timestamp
,created_at
,actor_id
,user
,business
,business_id
,token_scopes
,programmatic_access_type
,actor_is_bot
,request_access_security_header
,oauth_application_name
- Reference
- /apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps
oauth_authorization.destroy
- An authorization for an OAuth application was deleted.
- Fields
user_agent
,_document_id
,request_id
,operation_type
,@timestamp
,actor
,created_at
,explanation
,user
,user_id
,org_id
,action
,actor_id
,token_scopes
,actor_is_bot
,oauth_application_name
- Reference
- Reviewing and revoking authorization of GitHub Apps
oauth_authorization.update
- An authorization for an OAuth application was updated.
- Fields
org_id
,request_id
,user_id
,actor
,actor_id
,user_agent
,@timestamp
,operation_type
,action
,user
,created_at
,_document_id
,actor_is_bot
,request_access_security_header
,oauth_application_name
- Reference
- /apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps
org
org.add_member
- A user joined an organization.
- Fields
permission
,_document_id
,org
,operation_type
,request_id
,actor
,user
,@timestamp
,created_at
,user_agent
,org_id
,user_id
,actor_id
,action
,programmatic_access_type
,actor_is_bot
org.add_outside_collaborator
- An outside collaborator was added to a repository.
- Fields
actor
,actor_id
,user_agent
,request_id
,inviter
,org
,org_id
,repo
,repo_id
,public_repo
,permission
,invitee
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
org.advanced_security_disabled_for_new_repos
- GitHub Advanced Security was disabled for new repositories in an organization.
- Fields
user_agent
,request_id
,actor
,actor_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,business
,business_id
,token_scopes
org.advanced_security_disabled_on_all_repos
- GitHub Advanced Security was disabled for all repositories in an organization.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,org
,org_id
,business
,business_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,token_scopes
org.advanced_security_enabled_for_new_repos
- GitHub Advanced Security was enabled for new repositories in an organization.
- Fields
user_agent
,request_id
,actor
,actor_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,business
,business_id
,token_scopes
org.advanced_security_enabled_on_all_repos
- GitHub Advanced Security was enabled for all repositories in an organization.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,org
,org_id
,business
,business_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,token_scopes
org.remove_member
- A member was removed from an organization, either manually or due to a two-factor authentication requirement.
- Fields
_document_id
,request_id
,actor_id
,user_agent
,actor
,action
,user_id
,@timestamp
,created_at
,user
,operation_type
,org_id
,org
,token_scopes
,programmatic_access_type
org.security_center_export_code_scanning_metrics
- A CSV export was requested on the CodeQL pull request alerts page.
- Fields
actor
,actor_id
,user_agent
,request_id
,org
,org_id
,user
,user_id
,query
,filename
,requested_at
,start_date
,end_date
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
,actor_is_bot
org.security_center_export_coverage
- A CSV export was requested on the Coverage page.
- Fields
actor
,actor_id
,user_agent
,request_id
,org
,org_id
,user
,user_id
,query
,filename
,requested_at
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
,actor_is_bot
,request_access_security_header
org.security_center_export_overview_dashboard
- A CSV export was requested on the Overview Dashboard page.
- Fields
actor
,actor_id
,user_agent
,request_id
,org
,org_id
,user
,user_id
,query
,filename
,requested_at
,start_date
,end_date
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
,actor_is_bot
,request_access_security_header
org.security_center_export_risk
- A CSV export was requested on the Risk page.
- Fields
actor
,actor_id
,user_agent
,request_id
,org
,org_id
,user
,user_id
,query
,filename
,requested_at
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
,actor_is_bot
,request_access_security_header
org.set_actions_fork_pr_approvals_policy
- The setting for requiring approvals for workflows from public forks was changed for an organization.
- Fields
user_agent
,request_id
,actor
,actor_id
,policy
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
- Reference
- /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks
org.set_actions_private_fork_pr_approvals_policy
- The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.
- Fields
actor
,actor_id
,user_agent
,request_id
,policy
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
- Reference
- /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks
org.set_actions_retention_limit
- The retention period for GitHub Actions artifacts and logs in an organization was changed.
- Fields
user_agent
,request_id
,actor
,actor_id
,limit
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- /organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization
org.set_default_workflow_permissions
- The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.
- Fields
actor
,actor_id
,user_agent
,request_id
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization
org.set_fork_pr_workflows_policy
- The policy for workflows on private repository forks was changed.
- Fields
user_agent
,request_id
,actor
,actor_id
,policy
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks
org.set_workflow_permission_can_approve_pr
- The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.
- Fields
actor
,actor_id
,user_agent
,request_id
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- /organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests
org.update_member
- A person's role was changed from owner to member or member to owner.
- Fields
@timestamp
,org_id
,created_at
,_document_id
,user
,user_id
,action
,request_id
,actor_id
,old_permission
,permission
,actor
,user_agent
,operation_type
,org
org.update_member_repository_creation_permission
- The create repository permission for organization members was changed.
- Fields
actor
,action
,@timestamp
,request_id
,actor_id
,permission
,created_at
,user_agent
,org
,org_id
,_document_id
,visibility
,operation_type
org.update_member_repository_invitation_permission
- An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.
- Fields
actor_id
,permission
,action
,org_id
,actor
,created_at
,_document_id
,business_id
,operation_type
,org
,user_agent
,request_id
,business
,@timestamp
- Reference
- Setting permissions for adding outside collaborators
pages_protected_domain
pages_protected_domain.create
- A GitHub Pages verified domain was created for an organization or enterprise.
- Fields
user_agent
,request_id
,actor
,actor_id
,owner
,owner_type
,domain
,state
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- /pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages
pages_protected_domain.delete
- A GitHub Pages verified domain was deleted from an organization or enterprise.
- Fields
user_agent
,request_id
,actor
,actor_id
,owner
,owner_type
,domain
,state
,action
,_document_id
,@timestamp
,created_at
,operation_type
- Reference
- /pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages
pages_protected_domain.verify
- A GitHub Pages domain was verified for an organization or enterprise.
- Fields
user_agent
,request_id
,actor
,actor_id
,owner
,owner_type
,domain
,state
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- /pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages
passkey
passkey.register
- A new passkey was added.
- Fields
actor
,actor_id
,user_agent
,request_id
,nickname
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
passkey.remove
- A new passkey was removed.
- Fields
actor
,actor_id
,user_agent
,request_id
,nickname
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
payment_method
payment_method.create
- A new payment method was added, such as a new credit card or PayPal account.
- Fields
user_agent
,request_id
,user
,operation_type
,user_id
,_document_id
,action
,actor
,actor_id
,@timestamp
,created_at
,request_access_security_header
payment_method.remove
- A payment method was removed.
- Fields
user
,created_at
,actor_id
,@timestamp
,user_id
,action
,operation_type
,actor
,_document_id
,request_access_security_header
payment_method.update
- An existing payment method was updated.
- Fields
operation_type
,request_id
,org_id
,created_at
,actor_id
,@timestamp
,action
,actor
,org
,user_agent
,_document_id
,request_access_security_header
personal_access_token
personal_access_token.access_granted
- A fine-grained personal access token was granted access to resources.
- Fields
user_agent
,request_id
,actor
,actor_id
,user_programmatic_access_id
,user_programmatic_access_name
,repository_selection
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
- Reference
- /organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization
personal_access_token.access_revoked
- A fine-grained personal access token was revoked. The token can still read public organization resources.
- Fields
user_agent
,request_id
,actor
,actor_id
,user_programmatic_access_id
,user_programmatic_access_name
,repository_selection
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
- Reference
- /organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization
personal_access_token.create
- Triggered when you create a fine-grained personal access token.
- Fields
user_agent
,request_id
,actor
,actor_id
,user_programmatic_access_name
,user
,user_id
,repository_selection
,action
,_document_id
,@timestamp
,created_at
,operation_type
personal_access_token.credential_regenerated
- Triggered when you regenerate a fine-grained personal access token.
- Fields
user_agent
,request_id
,actor
,actor_id
,user_programmatic_access_name
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
personal_access_token.credential_revoked
- A fine-grained personal access token was revoked by GitHub Advanced Security.
- Fields
user_programmatic_access_name
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
- Reference
- /code-security/getting-started/github-security-features#secret-scanning-alerts-for-users
personal_access_token.destroy
- Triggered when you delete a fine-grained personal access token.
- Fields
user_agent
,request_id
,actor
,actor_id
,user_programmatic_access_name
,user
,user_id
,explanation
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
personal_access_token.request_cancelled
- A pending request for a fine-grained personal access token to access organization resources was canceled.
- Fields
user_agent
,request_id
,actor
,actor_id
,user_programmatic_access_name
,org
,org_id
,repository_selection
,action
,_document_id
,@timestamp
,created_at
,operation_type
,user_programmatic_access_request_id
personal_access_token.request_created
- Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.
- Fields
user_agent
,request_id
,actor
,actor_id
,user_programmatic_access_id
,user_programmatic_access_name
,user
,user_id
,repository_selection
,action
,_document_id
,@timestamp
,created_at
,operation_type
,user_programmatic_access_request_id
- Reference
- /organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization
personal_access_token.request_denied
- A request for a fine-grained personal access token to access organization resources was denied.
- Fields
actor
,actor_id
,user_agent
,request_id
,user_programmatic_access_name
,org
,org_id
,repository_selection
,action
,_document_id
,@timestamp
,created_at
,operation_type
,user_programmatic_access_request_id
- Reference
- /organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization
personal_access_token.update
- A fine-grained personal access token was updated.
- Fields
user_agent
,request_id
,actor
,actor_id
,user_programmatic_access_name
,user
,user_id
,repository_selection
,action
,_document_id
,@timestamp
,created_at
,operation_type
- Reference
- /authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens
profile_picture
profile_picture.update
- A profile picture was updated.
- Fields
user
,actor_id
,user_id
,@timestamp
,created_at
,owner
,action
,_document_id
,request_id
,user_agent
,actor
,operation_type
- Reference
- /account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile
project
project.access
- A project board visibility was changed.
- Fields
actor_id
,actor
,user_agent
,operation_type
,user
,created_at
,user_id
,action
,request_id
,_document_id
,@timestamp
project.close
- A project board was closed.
- Fields
org_id
,user_agent
,request_id
,operation_type
,@timestamp
,created_at
,repo_id
,org
,_document_id
,project_id
,action
,actor
,actor_id
,repo
,project_kind
- Reference
- Closing a project (classic)
project.create
- A project board was created.
- Fields
operation_type
,user
,_document_id
,request_id
,user_id
,user_agent
,@timestamp
,actor_id
,action
,created_at
,actor
project.delete
- A project board was deleted.
- Fields
request_id
,action
,actor_id
,operation_type
,actor
,user_id
,@timestamp
,created_at
,_document_id
,user_agent
,user
project.link
- A repository was linked to a project board.
- Fields
repo_id
,action
,actor_id
,org_id
,user_agent
,request_id
,actor
,operation_type
,@timestamp
,_document_id
,created_at
,org
,repo
project.open
- A project board was reopened.
- Fields
actor
,request_id
,actor_id
,action
,user_id
,project_id
,_document_id
,user_agent
,operation_type
,user
,@timestamp
,created_at
,project_kind
,project_name
- Reference
- Reopening a closed project (classic)
project.rename
- A project board was renamed.
- Fields
action
,created_at
,request_id
,actor_id
,old_name
,operation_type
,@timestamp
,repo
,_document_id
,user_agent
,org_id
,business_id
,actor
,repo_id
,org
,business
project.unlink
- A repository was unlinked from a project board.
- Fields
repo
,repo_id
,operation_type
,actor
,action
,created_at
,actor_id
,_document_id
,request_id
,@timestamp
,user_agent
,org
,org_id
project.update_org_permission
- The project's base-level permission for all organization members was changed or removed.
- Fields
actor
,org
,@timestamp
,_document_id
,operation_type
,created_at
,request_id
,actor_id
,action
,org_id
,user_agent
project.update_team_permission
- A team's project board permission level was changed or when a team was added or removed from a project board.
- Fields
created_at
,org_id
,operation_type
,org
,actor_id
,_document_id
,request_id
,team
,@timestamp
,action
,user_agent
,actor
project.update_user_permission
- A user was added to or removed from a project board or had their permission level changed.
- Fields
request_id
,user_id
,operation_type
,@timestamp
,actor_id
,user
,user_agent
,actor
,created_at
,org
,_document_id
,org_id
,action
,programmatic_access_type
project.visibility_private
- A project's visibility was changed from public to private.
- Fields
user_agent
,request_id
,actor
,actor_id
,project_id
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,project_kind
,project_name
project.visibility_public
- A project's visibility was changed from private to public.
- Fields
user_agent
,request_id
,actor
,actor_id
,project_id
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,project_kind
,project_name
,request_access_security_header
project_collaborator
project_collaborator.add
- A collaborator was added to a project.
- Fields
actor
,actor_id
,user_agent
,request_id
,collaborator_type
,org
,org_id
,collaborator
,action
,_document_id
,@timestamp
,created_at
,operation_type
,actor_is_bot
,public_project
,project_name
,project_role
,old_project_role
,request_access_security_header
project_collaborator.remove
- A collaborator was removed from a project.
- Fields
actor
,actor_id
,user_agent
,request_id
,collaborator_type
,user
,user_id
,collaborator
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
project_collaborator.update
- A project collaborator's permission level was changed.
- Fields
actor
,actor_id
,user_agent
,request_id
,public_project
,project_name
,collaborator_type
,project_role
,old_project_role
,project_id
,user
,user_id
,collaborator
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
project_field
project_field.create
- A field was created in a project board.
- Fields
user_agent
,request_id
,actor
,actor_id
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- /issues/planning-and-tracking-with-projects/understanding-fields
project_field.delete
- A field was deleted in a project board.
- Fields
user_agent
,request_id
,actor
,actor_id
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- /issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields
project_view
project_view.create
- A view was created in a project board.
- Fields
user_agent
,request_id
,actor
,actor_id
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- /issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views
project_view.delete
- A view was deleted in a project board.
- Fields
user_agent
,request_id
,actor
,actor_id
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- /issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views
protected_branch
protected_branch.update_merge_queue_enforcement_level
- Enforcement of the merge queue was modified for a branch.
- Fields
actor
,actor_id
,user_agent
,request_id
,name
,merge_queue_enforcement_level
,repo
,repo_id
,public_repo
,action
,_document_id
,@timestamp
,created_at
,operation_type
- Reference
- /repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue
public_key
public_key.create
- An SSH key was added to a user account or a deploy key was added to a repository.
- Fields
read_only
,user_agent
,actor_id
,operation_type
,created_at
,_document_id
,key
,fingerprint
,actor
,action
,user
,user_id
,@timestamp
,request_id
,title
,token_scopes
,programmatic_access_type
- Reference
- /authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account
public_key.delete
- An SSH key was removed from a user account or a deploy key was removed from a repository.
- Fields
fingerprint
,user_agent
,read_only
,explanation
,repo
,@timestamp
,action
,key
,operation_type
,_document_id
,actor
,title
,request_id
,actor_id
,repo_id
,created_at
,token_scopes
,programmatic_access_type
- Reference
- /authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys
public_key.unverification_failure
- A user account's SSH key or a repository's deploy key was unable to be unverified.
- Fields
user_agent
,request_id
,title
,key
,fingerprint
,read_only
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,token_scopes
- Reference
- /authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys
public_key.unverify
- A user account's SSH key or a repository's deploy key was unverified.
- Fields
created_at
,operation_type
,_document_id
,title
,request_id
,key
,action
,actor
,read_only
,explanation
,repo_id
,@timestamp
,actor_id
,repo
,user_agent
,fingerprint
- Reference
- /authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys
public_key.update
- A user account's SSH key or a repository's deploy key was updated.
- Fields
actor
,user_agent
,key
,fingerprint
,read_only
,repo_id
,operation_type
,created_at
,actor_id
,repo
,action
,_document_id
,request_id
,title
,@timestamp
,programmatic_access_type
- Reference
- /authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys
public_key.verification_failure
- A user account's SSH key or a repository's deploy key was unable to be verified.
- Fields
repo_id
,actor
,key
,fingerprint
,@timestamp
,request_id
,actor_id
,oauth_application_id
,title
,action
,user_agent
,created_at
,repo
,read_only
,operation_type
,_document_id
,user
,user_id
,programmatic_access_type
- Reference
- /authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys
public_key.verify
- A user account's SSH key or a repository's deploy key was verified.
- Fields
operation_type
,user
,@timestamp
,_document_id
,action
,created_at
,key
,fingerprint
,actor_id
,actor
,title
,user_agent
,user_id
,request_id
,read_only
,token_scopes
,programmatic_access_type
- Reference
- /authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys
repo
repo.access
- The visibility of a repository changed.
- Fields
repo_id
,user
,request_id
,operation_type
,@timestamp
,actor_id
,user_id
,created_at
,user_agent
,actor
,action
,repo
,visibility
,_document_id
,previous_visibility
,programmatic_access_type
- Reference
- /repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility
repo.actions_enabled
- GitHub Actions was enabled for a repository.
- Fields
user_agent
,request_id
,actor
,actor_id
,created_at
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,_document_id
,token_scopes
,programmatic_access_type
- Reference
- organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api
repo.add_member
- A collaborator was added to a repository.
- Fields
visibility
,repo
,created_at
,user_agent
,operation_type
,@timestamp
,_document_id
,actor
,actor_id
,repo_id
,user
,request_id
,action
,user_id
,oauth_application_id
,org
,org_id
,token_scopes
,programmatic_access_type
- Reference
- /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository
repo.add_topic
- A topic was added to a repository.
- Fields
action
,user_agent
,actor
,repo
,repo_id
,user
,org
,org_id
,request_id
,actor_id
,topic
,@timestamp
,_document_id
,user_id
,created_at
,operation_type
,programmatic_access_type
- Reference
- /repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics
repo.advanced_security_disabled
- GitHub Advanced Security was disabled for a repository.
- Fields
user_agent
,request_id
,actor
,actor_id
,org
,org_id
,repository
,repository_id
,business
,business_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,programmatic_access_type
,actor_is_bot
,request_access_security_header
- Reference
- /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository
repo.advanced_security_enabled
- GitHub Advanced Security was enabled for a repository.
- Fields
user_agent
,request_id
,actor
,actor_id
,org
,org_id
,repository
,repository_id
,business
,business_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,public_repo
,programmatic_access_type
,actor_is_bot
- Reference
- /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository
repo.archived
- A repository was archived.
- Fields
repo_id
,user_agent
,user_id
,created_at
,@timestamp
,repo
,user
,operation_type
,visibility
,action
,actor_id
,actor
,_document_id
,request_id
,token_scopes
,programmatic_access_type
- Reference
- /repositories/archiving-a-github-repository
repo.change_merge_setting
- Pull request merge options were changed for a repository.
- Fields
actor
,oauth_application_id
,user_agent
,request_id
,created_at
,@timestamp
,_document_id
,actor_id
,operation_type
,action
,public_repo
,token_scopes
,programmatic_access_type
,actor_is_bot
repo.code_scanning_analysis_deleted
- Code scanning analysis for a repository was deleted.
- Fields
user_agent
,request_id
,actor
,actor_id
,oauth_application_id
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,public_repo
,tool
,category
,request_access_security_header
- Reference
- /rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository
repo.code_scanning_configuration_for_branch_deleted
- A code scanning configuration for a branch of a repository was deleted.
- Fields
actor
,actor_id
,user_agent
,request_id
,tool
,branch
,category
,repo
,repo_id
,public_repo
,org
,org_id
,business
,business_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
- Reference
- Resolving code scanning alerts
repo.config.disable_collaborators_only
- The interaction limit for collaborators only was disabled.
- Fields
user_agent
,actor
,actor_id
,repo_id
,_document_id
,action
,created_at
,repo
,operation_type
,@timestamp
,request_id
- Reference
- /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository
repo.config.disable_contributors_only
- The interaction limit for prior contributors only was disabled in a repository.
- Fields
repo
,@timestamp
,request_id
,actor
,_document_id
,user_agent
,actor_id
,repo_id
,action
,operation_type
,created_at
- Reference
- /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository
repo.config.disable_sockpuppet_disallowed
- The interaction limit for existing users only was disabled in a repository.
- Fields
actor
,request_id
,repo_id
,action
,user_agent
,_document_id
,@timestamp
,created_at
,actor_id
,repo
,operation_type
- Reference
- /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository
repo.config.enable_collaborators_only
- The interaction limit for collaborators only was enabled in a repository Users that are not collaborators or organization members were unable to interact with a repository for a set duration.
- Fields
actor
,oauth_application_id
,created_at
,action
,request_id
,repo_id
,repo
,@timestamp
,_document_id
,user_agent
,actor_id
,operation_type
- Reference
- /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository
repo.config.enable_contributors_only
- The interaction limit for prior contributors only was enabled in a repository Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.
- Fields
user_agent
,request_id
,operation_type
,created_at
,actor
,org
,action
,actor_id
,repo
,repo_id
,org_id
,@timestamp
,_document_id
- Reference
- /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository
repo.config.enable_sockpuppet_disallowed
- The interaction limit for existing users was enabled in a repository New users aren't able to interact with a repository for a set duration Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.
- Fields
actor
,operation_type
,created_at
,user_agent
,request_id
,action
,actor_id
,repo
,repo_id
,@timestamp
,_document_id
- Reference
- /communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository
repo.create
- A repository was created.
- Fields
repo
,user_id
,visibility
,repo_id
,user
,request_id
,actor_id
,action
,operation_type
,request_category
,@timestamp
,created_at
,_document_id
,actor
,user_agent
,org
,oauth_application_id
,org_id
,request_method
,business
,business_id
,public_repo
,token_scopes
,programmatic_access_type
,actor_is_bot
- Reference
- /repositories/creating-and-managing-repositories/creating-a-new-repository
repo.create_actions_secret
- A GitHub Actions secret was created for a repository.
- Fields
user_agent
,request_id
,actor
,actor_id
,key
,repo
,repo_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,token_scopes
,programmatic_access_type
- Reference
- Using secrets in GitHub Actions
repo.create_actions_variable
- A GitHub Actions variable was created for a repository.
- Fields
actor
,actor_id
,user_agent
,request_id
,key
,visibility
,repo
,repo_id
,public_repo
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
,request_access_security_header
- Reference
- Store information in variables
repo.create_integration_secret
- A Codespaces or Dependabot secret was created for a repository.
- Fields
user_agent
,request_id
,actor
,actor_id
,key
,visibility
,integration
,repo
,repo_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,public_repo
,programmatic_access_type
,request_access_security_header
repo.destroy
- A repository was deleted.
- Fields
repo
,_document_id
,user_agent
,user_id
,actor
,action
,user
,repo_id
,operation_type
,request_category
,actor_id
,visibility
,request_id
,created_at
,@timestamp
,request_method
,oauth_application_id
,token_scopes
,programmatic_access_type
,actor_is_bot
- Reference
- /repositories/creating-and-managing-repositories/deleting-a-repository
repo.pages_cname
- A GitHub Pages custom domain was modified in a repository.
- Fields
actor
,@timestamp
,visibility
,repo
,repo_id
,user
,request_id
,actor_id
,cname
,user_agent
,user_id
,created_at
,_document_id
,action
,operation_type
,old_cname
,programmatic_access_type
repo.pages_create
- A GitHub Pages site was created.
- Fields
actor_id
,user
,_document_id
,user_id
,visibility
,action
,user_agent
,operation_type
,repo_id
,created_at
,@timestamp
,request_id
,actor
,repo
,programmatic_access_type
repo.pages_destroy
- A GitHub Pages site was deleted.
- Fields
created_at
,user_id
,action
,request_id
,user
,repo
,user_agent
,_document_id
,actor_id
,@timestamp
,actor
,visibility
,operation_type
,repo_id
,programmatic_access_type
repo.pages_https_redirect_disabled
- HTTPS redirects were disabled for a GitHub Pages site.
- Fields
user
,actor_id
,repo_id
,_document_id
,user_agent
,actor
,visibility
,user_id
,request_id
,repo
,@timestamp
,operation_type
,action
,created_at
,programmatic_access_type
,request_access_security_header
repo.pages_https_redirect_enabled
- HTTPS redirects were enabled for a GitHub Pages site.
- Fields
request_id
,@timestamp
,user_agent
,user_id
,created_at
,visibility
,actor
,actor_id
,user
,operation_type
,repo_id
,action
,repo
,_document_id
,request_access_security_header
repo.pages_private
- A GitHub Pages site visibility was changed to private.
- Fields
user_agent
,request_id
,actor
,actor_id
,visibility
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
repo.pages_public
- A GitHub Pages site visibility was changed to public.
- Fields
user_agent
,request_id
,actor
,actor_id
,visibility
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,programmatic_access_type
,request_access_security_header
repo.pages_soft_delete
- A GitHub Pages site was soft-deleted because its owner's plan changed.
- Fields
visibility
,repo
,repo_id
,public_repo
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
repo.pages_soft_delete_restore
- A GitHub Pages site that was previously soft-deleted was restored.
- Fields
actor
,actor_id
,user_agent
,request_id
,visibility
,repo
,repo_id
,public_repo
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
repo.pages_source
- A GitHub Pages source was modified.
- Fields
user_id
,actor_id
,operation_type
,user_agent
,actor
,@timestamp
,repo_id
,user
,_document_id
,request_id
,visibility
,repo
,created_at
,action
,programmatic_access_type
repo.register_self_hosted_runner
- A new self-hosted runner was registered.
- Fields
actor_id
,repo
,operation_type
,action
,@timestamp
,actor
,user_agent
,created_at
,_document_id
,request_id
,repo_id
,request_access_security_header
- Reference
- Adding self-hosted runners
repo.remove_actions_secret
- A GitHub Actions secret was deleted for a repository.
- Fields
user_agent
,request_id
,actor
,actor_id
,key
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,token_scopes
,programmatic_access_type
- Reference
- Using secrets in GitHub Actions
repo.remove_actions_variable
- A GitHub Actions variable was deleted for a repository.
- Fields
actor
,actor_id
,user_agent
,request_id
,key
,repo
,repo_id
,public_repo
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
,request_access_security_header
- Reference
- Store information in variables
repo.remove_integration_secret
- A Codespaces or Dependabot secret was deleted for a repository.
- Fields
user_agent
,request_id
,actor
,actor_id
,key
,integration
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,public_repo
,request_access_security_header
repo.remove_member
- A collaborator was removed from a repository.
- Fields
request_id
,user
,business
,action
,actor_id
,org
,org_id
,actor
,created_at
,repo_id
,user_agent
,business_id
,user_id
,operation_type
,@timestamp
,_document_id
,visibility
,repo
,token_scopes
,programmatic_access_type
- Reference
- /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository
repo.remove_self_hosted_runner
- A self-hosted runner was removed.
- Fields
request_id
,actor_id
,repo_id
,@timestamp
,_document_id
,repo
,org_id
,action
,operation_type
,user_agent
,actor
,created_at
,org
,token_scopes
,programmatic_access_type
- Reference
- Removing self-hosted runners
repo.remove_topic
- A topic was removed from a repository.
- Fields
user
,action
,repo_id
,user_agent
,topic
,operation_type
,user_id
,org
,org_id
,actor
,business
,request_id
,repo
,@timestamp
,created_at
,_document_id
,actor_id
,business_id
,programmatic_access_type
repo.rename
- A repository was renamed.
- Fields
user_agent
,@timestamp
,request_id
,actor_id
,actor
,old_name
,repo
,user_id
,created_at
,user
,action
,operation_type
,visibility
,repo_id
,_document_id
,programmatic_access_type
- Reference
- /repositories/creating-and-managing-repositories/renaming-a-repository
repo.set_actions_fork_pr_approvals_policy
- The setting for requiring approvals for workflows from public forks was changed for a repository.
- Fields
user_agent
,request_id
,actor
,actor_id
,visibility
,policy
,repo
,repo_id
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
,public_repo
- Reference
- /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks
repo.set_actions_private_fork_pr_approvals_policy
- The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.
- Fields
actor
,actor_id
,user_agent
,request_id
,visibility
,policy
,repo
,repo_id
,public_repo
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
- Reference
- /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories
repo.set_actions_retention_limit
- The retention period for GitHub Actions artifacts and logs in a repository was changed.
- Fields
user_agent
,request_id
,actor
,actor_id
,visibility
,limit
,repo
,repo_id
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository
repo.set_default_workflow_permissions
- The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.
- Fields
actor
,actor_id
,user_agent
,request_id
,visibility
,repo
,repo_id
,public_repo
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository
repo.set_fork_pr_workflows_policy
- Triggered when the policy for workflows on private repository forks is changed.
- Fields
user_agent
,request_id
,actor
,actor_id
,visibility
,policy
,repo
,repo_id
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks
repo.set_workflow_permission_can_approve_pr
- The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.
- Fields
actor
,actor_id
,user_agent
,request_id
,visibility
,repo
,repo_id
,public_repo
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- /repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests
repo.staff_unlock
- An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.
- Fields
@timestamp
,_document_id
,user_agent
,actor_id
,created_at
,actor
,repo_id
,action
,org
,org_id
,request_id
,repo
,operation_type
repo.temporary_access_granted
- Temporary access was enabled for a repository.
- Fields
actor
,actor_id
,user_agent
,request_id
,user
,user_id
,repo
,repo_id
,public_repo
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
- Reference
- Accessing user-owned repositories in your enterprise
repo.transfer
- A user accepted a request to receive a transferred repository.
- Fields
@timestamp
,user_id
,_document_id
,request_id
,actor_id
,repo_id
,owner
,user
,old_user
,action
,operation_type
,created_at
,user_agent
,repo
,visibility
,repo_was
,actor
- Reference
- /repositories/creating-and-managing-repositories/transferring-a-repository
repo.transfer_outgoing
- A repository was transferred to another repository network.
- Fields
user_agent
,request_id
,actor
,actor_id
,repo
,repo_id
,new_nwo
,visibility
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,public_repo
,request_access_security_header
repo.transfer_start
- A user sent a request to transfer a repository to another user or organization.
- Fields
@timestamp
,_document_id
,operation_type
,user_id
,request_id
,user
,action
,user_agent
,created_at
,actor
,visibility
,repo_id
,actor_id
,repo
,request_access_security_header
repo.unarchived
- A repository was unarchived.
- Fields
actor
,request_id
,actor_id
,repo
,operation_type
,created_at
,_document_id
,repo_id
,user
,@timestamp
,visibility
,user_agent
,user_id
,action
,programmatic_access_type
- Reference
- /repositories/archiving-a-github-repository
repo.update_actions_access_settings
- The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.
- Fields
user_agent
,request_id
,actor
,actor_id
,visibility
,policy
,old_policy
,repo
,repo_id
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
repo.update_actions_secret
- A GitHub Actions secret was updated for a repository.
- Fields
user_agent
,request_id
,actor
,actor_id
,oauth_application_id
,key
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,business
,business_id
,token_scopes
,programmatic_access_type
- Reference
- Using secrets in GitHub Actions
repo.update_actions_settings
- A repository administrator changed GitHub Actions policy settings for a repository.
- Fields
user_agent
,request_id
,actor
,actor_id
,visibility
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,new_policy
,old_policy
,updated_access_policy
,programmatic_access_type
,actor_is_bot
repo.update_actions_variable
- A GitHub Actions variable was updated for a repository.
- Fields
actor
,actor_id
,user_agent
,request_id
,key
,visibility
,repo
,repo_id
,public_repo
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
,request_access_security_header
- Reference
- Store information in variables
repo.update_default_branch
- The default branch for a repository was changed.
- Fields
user_agent
,request_id
,actor
,actor_id
,visibility
,repo
,repo_id
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,token_scopes
,programmatic_access_type
,actor_is_bot
repo.update_integration_secret
- A Codespaces or Dependabot secret was updated for a repository.
- Fields
user_agent
,request_id
,actor
,actor_id
,key
,visibility
,integration
,repo
,repo_id
,org
,org_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,public_repo
,token_scopes
,programmatic_access_type
,request_access_security_header
repo.update_member
- A user's permission to a repository was changed.
- Fields
user_agent
,action
,_document_id
,actor
,repo_id
,created_at
,oauth_application_id
,user
,@timestamp
,repo
,operation_type
,request_id
,org_id
,actor_id
,visibility
,old_permission
,org
,user_id
,old_base_role
,old_repo_permission
,old_repo_base_role
,new_repo_base_role
,new_repo_permission
,token_scopes
,programmatic_access_type
,actor_is_bot
repository_image
repository_image.create
- An image to represent a repository was uploaded.
- Fields
user_agent
,operation_type
,created_at
,actor_id
,repo_id
,action
,request_id
,actor
,content_type
,repo
,@timestamp
,_document_id
,user
,user_id
,request_access_security_header
repository_image.destroy
- An image to represent a repository was deleted.
- Fields
content_type
,created_at
,actor_id
,user_id
,operation_type
,request_id
,_document_id
,actor
,repo_id
,user_agent
,repo
,user
,action
,@timestamp
,request_access_security_header
repository_invitation
repository_invitation.accept
- An invitation to join a repository was accepted.
- Fields
actor_id
,created_at
,request_id
,repo
,invitee
,operation_type
,actor
,repo_id
,_document_id
,action
,user_agent
,inviter
,@timestamp
,token_scopes
,programmatic_access_type
repository_invitation.cancel
- An invitation to join a repository was canceled.
- Fields
inviter
,action
,operation_type
,_document_id
,repo_id
,repo
,@timestamp
,user_agent
,invitee
,created_at
,request_id
,actor
,actor_id
,request_access_security_header
repository_invitation.create
- An invitation to join a repository was sent.
- Fields
_document_id
,actor
,actor_id
,@timestamp
,invitee
,action
,request_id
,inviter
,repo
,created_at
,user_agent
,repo_id
,operation_type
,token_scopes
,programmatic_access_type
repository_invitation.reject
- An invitation to join a repository was declined.
- Fields
repo
,_document_id
,actor
,invitee
,action
,@timestamp
,request_id
,actor_id
,operation_type
,created_at
,inviter
,user_agent
,repo_id
repository_ruleset
repository_ruleset.create
- A repository ruleset was created.
- Fields
actor
,actor_id
,user_agent
,request_id
,name
,repo
,repo_id
,public_repo
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
,ruleset_id
,ruleset_name
,ruleset_enforcement
,ruleset_source_type
,ruleset_rules
,ruleset_conditions
,ruleset_bypass_actors
,request_access_security_header
- Reference
- /repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository
repository_ruleset.destroy
- A repository ruleset was deleted.
- Fields
actor
,actor_id
,user_agent
,request_id
,name
,repo
,repo_id
,public_repo
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,ruleset_id
,ruleset_name
,ruleset_enforcement
,ruleset_source_type
,ruleset_rules
,ruleset_bypass_actors
,request_access_security_header
- Reference
- /repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset
repository_ruleset.update
- A repository ruleset was edited.
- Fields
actor
,actor_id
,user_agent
,request_id
,old_name
,repo
,repo_id
,public_repo
,org
,org_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
,ruleset_id
,ruleset_name
,ruleset_enforcement
,ruleset_source_type
,ruleset_rules_updated
,ruleset_conditions_added
,ruleset_conditions_deleted
,ruleset_old_enforcement
,ruleset_rules_added
,ruleset_rules_deleted
,ruleset_old_name
,ruleset_conditions_updated
,ruleset_bypass_actors_added
,ruleset_bypass_actors_deleted
,ruleset_bypass_actors_updated
,actor_is_bot
- Reference
- /repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset
security_key
security_key.register
- A security key was registered for an account.
- Fields
actor_id
,user
,created_at
,user_id
,action
,operation_type
,request_id
,@timestamp
,_document_id
,actor
,user_agent
,request_access_security_header
security_key.remove
- A security key was removed from an account.
- Fields
actor
,user_id
,operation_type
,_document_id
,user_agent
,@timestamp
,request_id
,actor_id
,action
,created_at
,user
,request_access_security_header
sponsors
sponsors.agreement_sign
- A GitHub Sponsors agreement was signed on behalf of an organization.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,sponsors_listing_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
sponsors.custom_amount_settings_change
- Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.
- Fields
user_agent
,request_id
,actor
,actor_id
,org
,org_id
,sponsors_listing_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- /sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers
sponsors.fiscal_host_change
- The fiscal host for a GitHub Sponsors listing was updated.
- Fields
user_agent
,request_id
,actor
,actor_id
,org
,org_id
,sponsors_listing_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
sponsors.repo_funding_links_file_action
- The FUNDING file in a repository was changed.
- Fields
@timestamp
,action
,created_at
,_document_id
,request_id
,repository
,repository_id
,actor
,user_agent
,actor_id
,operation_type
- Reference
- /repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
sponsors.sponsor_sponsorship_cancel
- A sponsorship was canceled.
- Fields
operation_type
,_document_id
,created_at
,actor
,user
,action
,actor_id
,user_id
,@timestamp
- Reference
- Downgrading a sponsorship
sponsors.sponsor_sponsorship_create
- A sponsorship was created, by sponsoring an account.
- Fields
actor
,user_id
,action
,@timestamp
,user_agent
,request_id
,user
,operation_type
,created_at
,actor_id
,_document_id
- Reference
- /sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes
sponsors.sponsor_sponsorship_payment_complete
- After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.
- Fields
active
,user
,user_id
,actor
,actor_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- /sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes
sponsors.sponsor_sponsorship_preference_change
- The option to receive email updates from a sponsored account was changed.
- Fields
actor_id
,action
,@timestamp
,request_id
,user_id
,created_at
,user
,_document_id
,user_agent
,actor
,operation_type
- Reference
- /sponsors/sponsoring-open-source-contributors/managing-your-sponsorship
sponsors.sponsor_sponsorship_tier_change
- A sponsorship was upgraded or downgraded.
- Fields
user_id
,actor
,actor_id
,action
,user
,operation_type
,@timestamp
,_document_id
,created_at
- Reference
- Upgrading a sponsorship, Downgrading a sponsorship
sponsors.sponsored_developer_approve
- A GitHub Sponsors account was approved.
- Fields
user_id
,action
,user_agent
,request_id
,actor
,user
,operation_type
,@timestamp
,created_at
,actor_id
,_document_id
- Reference
- /sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account
sponsors.sponsored_developer_create
- A GitHub Sponsors account was created.
- Fields
user_id
,operation_type
,request_id
,actor_id
,@timestamp
,_document_id
,user
,action
,created_at
,user_agent
,actor
- Reference
- /sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account
sponsors.sponsored_developer_disable
- A GitHub Sponsors account was disabled.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,sponsors_listing_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
sponsors.sponsored_developer_profile_update
- The profile for GitHub Sponsors account was edited.
- Fields
@timestamp
,actor_id
,operation_type
,created_at
,user_agent
,request_id
,actor
,action
,_document_id
,request_access_security_header
- Reference
- /sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors
sponsors.sponsored_developer_redraft
- A GitHub Sponsors account was returned to draft state from approved state.
- Fields
@timestamp
,created_at
,request_id
,user
,action
,user_agent
,operation_type
,_document_id
,actor
,actor_id
,user_id
sponsors.sponsored_developer_request_approval
- An application for GitHub Sponsors was submitted for approval.
- Fields
user_agent
,user
,@timestamp
,actor_id
,user_id
,request_id
,_document_id
,actor
,action
,operation_type
,created_at
- Reference
- /sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account
sponsors.sponsored_developer_tier_description_update
- The description for a sponsorship tier was changed.
- Fields
operation_type
,request_id
,actor
,user_id
,action
,@timestamp
,_document_id
,user_agent
,actor_id
,user
,created_at
- Reference
- /sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers
sponsors.sponsored_developer_update_newsletter_send
- Triggered when you send an email update to your sponsors.
- Fields
request_id
,actor
,action
,user_agent
,operation_type
,_document_id
,created_at
,actor_id
,user
,user_id
,@timestamp
- Reference
- /sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors
sponsors.sponsors_patreon_user_create
- A Patreon account was linked to a user account for use with GitHub Sponsors.
- Fields
actor
,actor_id
,user_agent
,request_id
,patreon_email
,patreon_username
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
- Reference
- /sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account
sponsors.sponsors_patreon_user_destroy
- A Patreon account for use with GitHub Sponsors was unlinked from a user account.
- Fields
actor
,actor_id
,user_agent
,request_id
,patreon_email
,patreon_username
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
- Reference
- Unlinking your Patreon account from GitHub
sponsors.update_tier_repository
- A GitHub Sponsors tier changed access for a repository.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,sponsors_listing_id
,repo
,repo_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
sponsors.update_tier_welcome_message
- The welcome message for a GitHub Sponsors tier for an organization was updated.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,sponsors_listing_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
sponsors.waitlist_join
- You join the waitlist to join GitHub Sponsors.
- Fields
request_id
,actor
,user_id
,user_agent
,actor_id
,action
,operation_type
,created_at
,user
,@timestamp
,_document_id
- Reference
- /sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account
sponsors.withdraw_agreement_signature
- A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,sponsors_listing_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
successor_invitation
successor_invitation.accept
- Triggered when you accept a succession invitation.
- Fields
user_agent
,request_id
,actor
,actor_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories
successor_invitation.cancel
- Triggered when you cancel a succession invitation.
- Fields
user_agent
,request_id
,actor
,actor_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories
successor_invitation.create
- Triggered when you create a succession invitation.
- Fields
user_agent
,request_id
,actor
,actor_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories
successor_invitation.decline
- Triggered when you decline a succession invitation.
- Fields
user_agent
,request_id
,actor
,actor_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories
successor_invitation.revoke
- Triggered when you revoke a succession invitation.
- Fields
user_agent
,request_id
,actor
,actor_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories
trusted_device
trusted_device.register
- A new trusted device was added.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
trusted_device.remove
- A trusted device was removed.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
two_factor_authentication
two_factor_authentication.add_factor
- A secondary authentication factor was added to a user account.
- Fields
actor
,actor_id
,user_agent
,request_id
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- /authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication
two_factor_authentication.disabled
- Two-factor authentication was disabled for a user account.
- Fields
actor
,action
,_document_id
,user_agent
,user
,user_id
,actor_id
,created_at
,operation_type
,request_id
,@timestamp
,request_access_security_header
- Reference
- Disabling two-factor authentication for your personal account
two_factor_authentication.enabled
- Two-factor authentication was enabled for a user account.
- Fields
actor
,operation_type
,user_agent
,action
,created_at
,actor_id
,@timestamp
,request_id
,user
,user_id
,_document_id
,request_access_security_header
- Reference
- Configuring two-factor authentication
two_factor_authentication.password_reset_fallback_sms
- A one-time password code was sent to a user account fallback phone number.
- Fields
operation_type
,created_at
,user
,user_id
,action
,@timestamp
,request_id
,_document_id
,user_agent
two_factor_authentication.recovery_codes_regenerated
- Two factor recovery codes were regenerated for a user account.
- Fields
request_id
,actor
,operation_type
,_document_id
,user_id
,action
,user
,user_agent
,actor_id
,@timestamp
,created_at
two_factor_authentication.remove_factor
- A secondary authentication factor was removed from a user account.
- Fields
actor
,actor_id
,user_agent
,request_id
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- /authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication
two_factor_authentication.sign_in_fallback_sms
- A one-time password code was sent to a user account fallback phone number.
- Fields
request_id
,operation_type
,user_id
,user
,user_agent
,created_at
,_document_id
,action
,@timestamp
two_factor_authentication.update_fallback
- The two-factor authentication fallback for a user account was changed.
- Fields
@timestamp
,created_at
,_document_id
,user
,user_id
,operation_type
,user_agent
,action
,request_id
,actor
,actor_id
user
user.add_email
- An email address was added to a user account.
- Fields
action
,request_id
,user
,user_id
,user_agent
,operation_type
,_document_id
,actor_id
,actor
,email
,@timestamp
,created_at
,request_access_security_header
- Reference
- /account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account
user.async_delete
- An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.
- Fields
actor
,user_id
,created_at
,user
,@timestamp
,_document_id
,request_id
,actor_id
,operation_type
,user_agent
,action
,request_access_security_header
user.audit_log_export
- Audit log entries were exported.
- Fields
actor_id
,user
,action
,request_id
,actor
,@timestamp
,_document_id
,user_agent
,user_id
,operation_type
,created_at
user.block_user
- A user was blocked by another user.
- Fields
action
,actor
,user_id
,_document_id
,actor_id
,@timestamp
,user_agent
,user
,request_id
,blocked_user
,operation_type
,created_at
,programmatic_access_type
,request_access_security_header
user.change_password
- A user changed their password.
- Fields
request_id
,@timestamp
,user_agent
,actor_id
,operation_type
,actor
,user
,user_id
,action
,created_at
,_document_id
,request_access_security_header
user.codespaces_trusted_repo_access_granted
- Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,programmatic_access_type
- Reference
- Managing access to other repositories within your codespace
user.codespaces_trusted_repo_access_revoked
- Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
- Reference
- Managing access to other repositories within your codespace
user.create
- A new user account was created.
- Fields
email
,user_id
,operation_type
,@timestamp
,request_id
,user
,created_at
,_document_id
,user_agent
,actor
,actor_id
,action
,programmatic_access_type
user.create_integration_secret
- A user secret for Codespaces was created.
- Fields
actor
,actor_id
,user_agent
,request_id
,key
,visibility
,integration
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
user.creation_rate_limit_exceeded
- The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.
- Fields
user
,created_at
,user_agent
,_document_id
,operation_type
,oauth_application_id
,action
,actor
,actor_id
,request_id
,user_id
,@timestamp
,token_scopes
,programmatic_access_type
user.delete
- A user account was destroyed by an asynchronous job.
- Fields
operation_type
,created_at
,user_agent
,action
,request_id
,user_id
,actor
,actor_id
,user
,@timestamp
,_document_id
,request_access_security_header
user.demote
- A site administrator was demoted to an ordinary user account.
- Fields
@timestamp
,oauth_application_id
,action
,user
,created_at
,user_agent
,request_id
,actor
,actor_id
,operation_type
,_document_id
,user_id
,programmatic_access_type
,request_access_security_header
user.destroy
- A user deleted his or her account, triggering user.async_delete.
- Fields
request_id
,actor
,user
,_document_id
,created_at
,user_agent
,user_id
,operation_type
,actor_id
,action
,@timestamp
,request_access_security_header
user.failed_login
- A user tried to sign in with an incorrect username, password, or two-factor authentication code.
- Fields
user_id
,action
,operation_type
,request_id
,created_at
,_document_id
,@timestamp
,user
,org_id
,actor
,actor_id
,user_agent
user.forgot_password
- A user requested a password reset.
- Fields
action
,_document_id
,user_agent
,request_id
,user
,operation_type
,@timestamp
,email
,created_at
,user_id
,request_access_security_header
- Reference
- /authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials
user.hide_private_contributions_count
- A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.
- Fields
user_agent
,request_id
,actor
,actor_id
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
- Reference
- /account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile
user.login
- A user signed in.
- Fields
user_agent
,user_id
,actor_id
,@timestamp
,user
,action
,operation_type
,_document_id
,request_id
,created_at
,actor
,passkey_nickname
,request_access_security_header
user.logout
- A user signed out.
- Fields
actor
,actor_id
,user_agent
,request_id
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
user.new_device_used
- A user signed in from a new device.
- Fields
user
,user_id
,actor
,operation_type
,created_at
,user_agent
,actor_id
,action
,@timestamp
,_document_id
,request_id
,request_access_security_header
user.promote
- An ordinary user account was promoted to a site administrator.
- Fields
user_id
,action
,actor
,actor_id
,user
,@timestamp
,created_at
,user_agent
,oauth_application_id
,request_id
,operation_type
,_document_id
,token_scopes
,programmatic_access_type
,request_access_security_header
user.recreate
- A user's account was restored.
- Fields
user_agent
,user
,action
,actor_id
,@timestamp
,_document_id
,request_id
,user_id
,created_at
,actor
,operation_type
user.remove_email
- An email address was removed from a user account.
- Fields
user_agent
,action
,@timestamp
,_document_id
,request_id
,user
,user_id
,operation_type
,actor
,actor_id
,created_at
,email
,token_scopes
,programmatic_access_type
user.remove_integration_secret
- A user secret for Codespaces was deleted.
- Fields
actor
,actor_id
,user_agent
,request_id
,key
,integration
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
user.rename
- A username was changed.
- Fields
user
,action
,request_id
,actor_id
,old_login
,created_at
,_document_id
,actor
,user_id
,@timestamp
,operation_type
,user_agent
,token_scopes
,programmatic_access_type
user.reset_password
- A user reset their account password.
- Fields
actor_id
,action
,user_agent
,user
,request_id
,user_id
,created_at
,@timestamp
,_document_id
,actor
,operation_type
,request_access_security_header
user.show_private_contributions_count
- A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.
- Fields
@timestamp
,_document_id
,request_id
,user_id
,action
,actor
,user
,operation_type
,user_agent
,actor_id
,created_at
,request_access_security_header
- Reference
- /account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile
user.sign_in_from_unrecognized_device
- A user signed in from an unrecognized device.
- Fields
request_id
,action
,_document_id
,user_agent
,user
,user_id
,operation_type
,created_at
,actor
,actor_id
,@timestamp
,request_access_security_header
user.sign_in_from_unrecognized_device_and_location
- A user signed in from an unrecognized device and location.
- Fields
actor
,actor_id
,user
,user_id
,@timestamp
,user_agent
,created_at
,_document_id
,request_id
,action
,operation_type
,request_access_security_header
user.suspend
- A user account was suspended.
- Fields
oauth_application_id
,operation_type
,actor_id
,user
,user_agent
,request_id
,actor
,created_at
,_document_id
,@timestamp
,user_id
,action
,token_scopes
,programmatic_access_type
,request_access_security_header
user.two_factor_challenge_failure
- A 2FA challenge issued for a user account failed.
- Fields
operation_type
,created_at
,_document_id
,user_agent
,user
,actor_id
,actor
,user_id
,@timestamp
,action
,request_id
,request_access_security_header
user.two_factor_challenge_success
- A 2FA challenge issued for a user account succeeded.
- Fields
@timestamp
,_document_id
,user_id
,operation_type
,actor_id
,user
,actor
,user_agent
,request_id
,action
,created_at
,request_access_security_header
user.two_factor_recover
- A user used their 2FA recovery codes.
- Fields
user_id
,operation_type
,user_agent
,request_id
,user
,action
,actor
,actor_id
,created_at
,@timestamp
,_document_id
,request_access_security_header
user.two_factor_recovery_codes_downloaded
- A user downloaded 2FA recovery codes for their account.
- Fields
user_id
,operation_type
,actor_id
,user
,request_id
,action
,@timestamp
,created_at
,user_agent
,actor
,_document_id
,request_access_security_header
user.two_factor_recovery_codes_printed
- A user printed 2FA recovery codes for their account.
- Fields
user
,action
,operation_type
,user_agent
,request_id
,user_id
,created_at
,_document_id
,actor
,actor_id
,@timestamp
user.two_factor_recovery_codes_viewed
- A user viewed 2FA recovery codes for their account.
- Fields
actor_id
,user_agent
,actor
,user_id
,action
,created_at
,user
,operation_type
,@timestamp
,request_id
,_document_id
,request_access_security_header
user.two_factor_requested
- A user was prompted for a two-factor authentication code.
- Fields
user
,actor_id
,action
,user_agent
,request_id
,created_at
,_document_id
,user_id
,operation_type
,@timestamp
,actor
- Reference
- /authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication
user.unblock_user
- A user was unblocked by another user.
- Fields
actor_id
,action
,request_id
,_document_id
,blocked_user
,operation_type
,actor
,@timestamp
,user_agent
,user_id
,user
,created_at
,request_access_security_header
user.unsuspend
- A user account was unsuspended.
- Fields
request_id
,_document_id
,user
,action
,user_agent
,actor
,oauth_application_id
,operation_type
,actor_id
,created_at
,@timestamp
,user_id
,token_scopes
,programmatic_access_type
,request_access_security_header
user.update_integration_secret
- A user secret for Codespaces was updated.
- Fields
actor
,actor_id
,user_agent
,request_id
,key
,visibility
,integration
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,request_access_security_header
user_email
user_email.confirm_claim
- An enterprise managed user claimed an email address.
- Fields
actor
,actor_id
,user_agent
,request_id
,user
,user_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,business
,business_id
,actor_is_bot
,request_access_security_header
user_status
user_status.destroy
- Triggered when you clear the status on your profile.
- Fields
org
,user_id
,actor
,message
,user
,actor_id
,created_at
,request_id
,limited_availability
,action
,emoji
,operation_type
,user_agent
,@timestamp
,_document_id
,request_access_security_header
user_status.update
- Triggered when you set or change the status on your profile.
- Fields
limited_availability
,user
,action
,actor_id
,message
,user_id
,created_at
,_document_id
,request_id
,@timestamp
,user_agent
,emoji
,org
,actor
,operation_type
,token_scopes
,programmatic_access_type
- Reference
- /account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status
workflows
workflows.approve_workflow_job
- A workflow job was approved.
- Fields
user_agent
,request_id
,actor
,actor_id
,workflow_run_id
,run_number
,user
,user_id
,repo
,repo_id
,business
,business_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,public_repo
,token_scopes
,programmatic_access_type
,request_access_security_header
- Reference
- Reviewing deployments
workflows.delete_workflow_run
- A workflow run was deleted.
- Fields
user_agent
,request_id
,actor
,actor_id
,repo
,repo_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,workflow_run_id
,started_at
,head_branch
,head_sha
,trigger_id
,programmatic_access_type
- Reference
- Deleting a workflow run
workflows.disable_workflow
- A workflow was disabled.
- Fields
user_agent
,request_id
,actor
,actor_id
,repo
,repo_id
,workflow_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,public_repo
,programmatic_access_type
,actor_is_bot
,request_access_security_header
workflows.enable_workflow
- A workflow was enabled, after previously being disabled by disable_workflow.
- Fields
user_agent
,request_id
,actor
,actor_id
,repo
,repo_id
,workflow_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,public_repo
,programmatic_access_type
,request_access_security_header
workflows.pin_workflow
- A workflow was pinned.
- Fields
actor
,actor_id
,user_agent
,request_id
,repo
,repo_id
,public_repo
,workflow_id
,org
,org_id
,business
,business_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,actor_is_bot
,request_access_security_header
workflows.reject_workflow_job
- A workflow job was rejected.
- Fields
user_agent
,request_id
,actor
,actor_id
,workflow_run_id
,run_number
,user
,user_id
,repo
,repo_id
,action
,operation_type
,@timestamp
,created_at
,_document_id
,public_repo
,programmatic_access_type
,request_access_security_header
- Reference
- Reviewing deployments
workflows.unpin_workflow
- A workflow was unpinned after previously being pinned.
- Fields
actor
,actor_id
,user_agent
,request_id
,repo
,repo_id
,public_repo
,workflow_id
,org
,org_id
,business
,business_id
,action
,_document_id
,@timestamp
,created_at
,operation_type
,actor_is_bot
,request_access_security_header