CIM Compatibility for GitHub Cloud Audit Logs¶
The following data models are mapped in the sourcetype github:cloud:audit of the add-on corresponding to the vendor_action.
| Datamodel mapped | vendor_action |
|---|---|
| Change:All_Changes | org.rename, org.update_terms_of_service, org.create, org.update_actions_secret, org.create_actions_secret, org.set_actions_fork_pr_approvals_policy, org.set_actions_retention_limit, org.set_workflow_permission_can_approve_pr, org.set_default_workflow_permissions, org.update_actions_settings, org.secret_scanning_push_protection_disable, org.secret_scanning_push_protection_enable, org.secret_scanning_push_protection_custom_message_enabled, org.secret_scanning_push_protection_custom_message_disabled, org.secret_scanning_push_protection_new_repos_enable, org.secret_scanning_custom_pattern_push_protection_disabled, org.secret_scanning_custom_pattern_push_protection_enabled, repo.access, org.runner_group_updated, org.runner_group_created, org.runner_group_removed, org.config.disable_collaborators_only, org.config.enable_collaborators_only, org.update_member_repository_invitation_permission, org.enable_two_factor_requirement, org.remove_integration_secret, org.remove_actions_secret, repo.self_hosted_runner_offline, repo.self_hosted_runner_online, org.oauth_app_access_denied, org.enable_oauth_app_restrictions, org.disable_oauth_app_restrictions, org.oauth_app_access_approved, org.allow_third_party_access_requests_from_outside_collaborators_enabled, org.allow_third_party_access_requests_from_outside_collaborators_disabled, org.enable_reader_discussion_creation_permission, org.disable_reader_discussion_creation_permission, org.enable_member_team_creation_permission, org.disable_member_team_creation_permission, org.display_commenter_full_name_disabled, org.display_commenter_full_name_enabled, org.disable_two_factor_requirement, org.update_integration_secret, org.create_integration_secret, org.confirm_business_invitation, org.accept_business_invitation, org.config.disable_contributors_only, org.config.enable_contributors_only, org.config.disable_sockpuppet_disallowed, org.config.enable_sockpuppet_disallowed, org.update_new_repository_default_branch_setting, org.update_member_repository_creation_permission, org.update_default_repository_permission, org.cancel_invitation, org.cancel_business_invitation, org.advanced_security_policy_selected_member_enabled, org.advanced_security_policy_selected_member_disabled, repo.advanced_security_disabled, org.advanced_security_disabled_on_all_repos, repo.advanced_security_enabled, org.advanced_security_enabled_on_all_repos, org.advanced_security_disabled_for_new_repos, org.advanced_security_enabled_for_new_repos, repo.update_default_branch, repo.update_integration_secret, repo.update_actions_secret, repo.create_actions_secret, repo.transfer, team.add_repository, repo.actions_enabled, repo.transfer_outgoing, team.remove_repository, repo.register_self_hosted_runner, repo.set_actions_retention_limit, repo.set_actions_fork_pr_approvals_policy, repo.pages_public, repo.update_actions_settings, repo.rename, repo.remove_topic, repo.remove_integration_secret, repo.remove_actions_secret, repo.remove_self_hosted_runner, repo.pages_private, repo.pages_cname, repo.pages_https_redirect_enabled, repo.pages_https_redirect_disabled, repo.pages_source, repo.pages_create, repo.pages_destroy, repo.create, repo.change_merge_setting, repo.destroy, repo.create_integration_secret, repo.config.disable_sockpuppet_disallowed, repo.config.enable_sockpuppet_disallowed, repo.config.disable_collaborators_only, repo.config.enable_collaborators_only, repo.config.disable_contributors_only, repo.config.enable_contributors_only, repo.code_scanning_configuration_for_branch_deleted, repo.code_scanning_analysis_deleted, repo.codeql_enabled, repo.add_topic, team.update_repository_permission, team.create, team.destroy, repo.unarchived, repo.archived, team.change_privacy, team.rename, team.change_parent_team, org.update_saml_provider_settings, org.enable_saml, org.disable_saml, business.disable_two_factor_requirement, business.enable_two_factor_requirement, business.remove_member, pull_request.ready_for_review, business_secret_scanning_custom_pattern.delete, business_secret_scanning_custom_pattern.update, business_secret_scanning_custom_pattern.create, business.advanced_security_policy_update, members_can_view_dependency_insights.clear, members_can_view_dependency_insights.disable, members_can_view_dependency_insights.enable, team_discussions.clear, team_discussions.disable, team_discussions.enable, repository_projects_change.clear, repository_projects_change.disable, repository_projects_change.enable, organization_projects_change.clear, organization_projects_change.disable, organization_projects_change.enable, pull_request.create_review_request, business.set_actions_fork_pr_approvals_policy, business.update_actions_settings, issues.deletes_disabled, issues.deletes_enabled, members_can_delete_repos.clear, members_can_delete_repos.disable, members_can_delete_repos.enable, repository_visibility_change.clear, repository_visibility_change.disable, repository_visibility_change.enable, business.update_member_repository_invitation_permission, private_repository_forking.clear, private_repository_forking.disable, private_repository_forking.enable, business.clear_members_can_create_repos, business.update_member_repository_creation_permission, git.fetch, pull_request.merge, git.push, git.clone, pull_request.create, pull_request.close, hook.create, repository_dependency_graph.enable, repository_secret_scanning.enable, pull_request.reopen, org_credential_authorization.deauthorize, org_credential_authorization.grant, workflows.enable_workflow, integration_installation.repositories_added, repository_secret_scanning_push_protection.disable, business.set_fork_pr_workflows_policy, business.set_actions_retention_limit, issues.deletes_policy_cleared, workflows.completed_workflow_run, workflows.prepared_workflow_job, workflows.created_workflow_run, repository_vulnerability_alerts.enable, environment.create, codespaces.create, codespaces.allow_permissions, codespaces.destroy, public_key.create, public_key.delete, external_group.update, environment.delete, external_group.provision, external_group.delete, ip_allow_list_entry.destroy, ip_allow_list_entry.create, environment.remove_protection_rule, repository_vulnerability_alerts.disable, repository_ruleset.destroy, project_base_role.update, codespaces.export_environment, external_group.unlink, organization_role.destroy, organization_role.create, pages_protected_domain.delete, pages_protected_domain.create, organization_role.update, security_configuration.create, security_configuration.update, security_configuration.delete, repository_secret_scanning_push_protection.enable, repository_secret_scanning_non_provider_patterns.enabled, repository_secret_scanning_automatic_validity_checks.enabled, repository_secret_scanning_generic_secrets.enabled, repo.create_actions_secret, org.secret_scanning_custom_pattern_push_protection_enabled, oauth_access.regenerate, oauth_access.create, issue_comment.update, org.register_self_hosted_runner, pull_request_review.submit, pull_request_review_comment.create, pull_request_review_comment.update, pull_request_review_comment.delete, pull_request_review.delete, pull_request.converted_to_draft, pull_request.remove_review_request, protected_branch.policy_override, protected_branch.branch_allowances, pull_request.rebase, workflows.rerun_workflow_run, workflows.cancel_workflow_run, repository_invitation.create, integration_installation.repositories_removed, protected_branch.update_required_status_checks_enforcement_level, protected_branch.rejected_ref_update, required_status_check.create, required_status_check.destroy |
| Change:Account_Management | org.add_member, org.remove_outside_collaborator, repo.remove_member, team.remove_member, org.remove_member, org.integration_manager_removed, org.integration_manager_added, org.update_member, org.restore_member, repo.add_member, team.add_member, org.invite_member, org.unblock_user, org.block_user, repo.update_member, team.demote_maintainer, team.promote_maintainer, user_session.country_change, repo.add_member, user.logout, repo.remove_member, external_group.remove_member, external_identity.deprovision, external_group.add_member, external_identity.provision, external_identity.update, user_status.update, organization_role.revoke, organization_role.assign, user_status.destroy, oauth_access.regenerate, oauth_access.create |
| Alerts | repository_vulnerability_alert.create, repository_vulnerability_alert.reopen, user.sign_in_from_unrecognized_device, user.new_device_used, repository_vulnerability_alert.resolve, external_group.scim_api_success, external_identity.scim_api_success, external_identity.scim_api_failure, user.creation_rate_limit_exceeded, external_group.scim_api_failure, repository_vulnerability_alert.create, secret_scanning_alert.validate, secret_scanning_alert.create, secret_scanning_push_protection.bypass, secret_scanning_alert.reopen, secret_scanning_alert.resolve, secret_scanning_push_protection_request.deny |
| Authentication | user.login |
| Change:Auditing_Changes | checks.delete_logs |