GitHub Audit
Datable integrates with GitHub's Audit Log API to collect security and compliance events from your GitHub Enterprise organization, providing visibility into user activities, repository changes, and security events.
How it works
The GitHub Audit integration uses the GitHub Enterprise Audit Log API to periodically collect audit events from your organization. These events include user actions, permission changes, repository modifications, and security-related activities.
Prerequisites
- GitHub Enterprise Cloud subscription
- Organization owner or security manager access
- Personal Access Token with appropriate scopes
Setup Instructions
Step 1: Create a Personal Access Token
- Sign in to GitHub Enterprise
- Navigate to Settings → Developer settings → Personal access tokens → Tokens (classic)
- Click Generate new token
- Configure the token:
- Note: "Datable Audit Log Integration"
- Expiration: Set appropriate expiration (recommend 90 days)
- Scopes: Select the following:
admin:org(Full control of orgs and teams)read:audit_log(Read audit log)read:enterprise(Read enterprise profile data) - if applicable
- Click Generate token
- Copy and securely store the token
Step 2: Configure the Source in Datable
- Navigate to Sources in Datable
- Select GitHub Audit from available sources
- Provide configuration:
- Source Name: Descriptive name for this source
- API Token: Personal Access Token from Step 1
- Organization: Your GitHub organization name
- Enterprise (optional): Enterprise slug if using Enterprise
- Click Save to create the source
Step 3: Verify Data Collection
After configuration, audit logs should begin flowing within minutes:
- Check source status in Datable dashboard
- View recent events in Data Explorer
- Generate a test event (e.g., add a team member) and verify it appears
Data Collected
User Events
- Authentication: Login attempts, 2FA changes, SSH key additions
- Authorization: Permission changes, role assignments
- Profile Changes: Email updates, username changes
Repository Events
- Creation/Deletion: Repository lifecycle events
- Settings Changes: Visibility, branch protection, webhook configuration
- Access Control: Collaborator additions, team permissions
Organization Events
- Member Management: Invitations, removals, role changes
- Team Operations: Team creation, membership changes
- Policy Changes: Security settings, compliance configurations
Security Events
- Secret Scanning: Detected secrets, alert dismissals
- Dependabot: Security updates, vulnerability alerts
- Code Scanning: Security analysis results
- Advanced Security: Feature enablement, policy changes
Compliance Events
- Audit Log Access: Who accessed audit logs
- Data Exports: Repository exports, migration events
- Legal Holds: Preservation requests
Event Schema
Each audit event contains:
json
{
"@timestamp": "2024-01-15T10:30:00Z",
"action": "repo.create",
"actor": "username",
"actor_id": 123456,
"actor_location": {
"country_code": "US"
},
"created_at": "2024-01-15T10:30:00Z",
"operation_type": "create",
"org": "my-organization",
"org_id": 789012,
"repo": "my-organization/new-repo",
"repo_id": 345678,
"user": "affected-user",
"user_id": 234567,
"visibility": "private",
"business": "my-enterprise",
"config": {},
"config_was": {},
"actor_ip": "192.0.2.1",
"data": {
"additional": "fields"
}
}Filtering Options
By Event Category
Configure collection of specific event categories:
authentication- Login and auth eventsrepository- Repository managementorganization- Org-level changesteam- Team managementsecurity- Security featuresintegration- App and webhook events
By Actor
Filter events by actor:
actor:username
actor_id:123456By Repository
Filter by repository:
repo:org/repo-name
repo_id:789012Time Range
Specify historical data collection:
- Initial sync: Up to 90 days of history
- Ongoing: Real-time collection
Advanced Configuration
API Rate Limiting
GitHub enforces rate limits:
- Primary rate limit: 5,000 requests per hour
- Audit log specific: 1,750 requests per hour
The integration handles rate limiting automatically with:
- Exponential backoff
- Request throttling
- Efficient pagination
Multiple Organizations
Monitor multiple organizations by:
- Creating separate sources for each org
- Using a token with access to all orgs
- Configuring org-specific filters
Use Cases
Security Monitoring
- Track unauthorized access attempts
- Monitor permission escalations
- Detect suspicious API usage
- Identify compromised accounts
Compliance Auditing
- Maintain audit trails for regulations
- Track data access and exports
- Monitor privileged actions
- Generate compliance reports
Operational Intelligence
- Analyze repository growth
- Track team collaboration patterns
- Monitor CI/CD activities
- Identify automation opportunities
Incident Response
- Investigate security incidents
- Track remediation actions
- Analyze attack patterns
- Document response activities
Troubleshooting
No Events Appearing
- Verify token permissions:
bash
curl -H "Authorization: token YOUR_TOKEN" \
https://api.github.com/user- Check audit log access:
bash
curl -H "Authorization: token YOUR_TOKEN" \
https://api.github.com/orgs/YOUR_ORG/audit-log- Ensure Enterprise features are enabled
Authentication Errors
- Token may be expired - regenerate
- Verify token has correct scopes
- Check organization name is correct
- Ensure user has organization owner access
Missing Events
- Some events require Enterprise plan
- Check event filtering configuration
- Verify webhook delivery (if using webhooks)
- Review GitHub audit log retention (90 days for some events)
Rate Limiting
If experiencing rate limit issues:
- Reduce polling frequency
- Use webhook delivery for real-time events
- Implement event filtering
- Consider using multiple tokens
Security Best Practices
Token Management
- Rotate tokens regularly (every 90 days)
- Use fine-grained personal access tokens when available
- Store tokens securely (never in code)
- Monitor token usage in GitHub settings
Access Control
- Use dedicated service account
- Grant minimum required permissions
- Enable SSO/SAML if available
- Require 2FA for admin accounts
Data Protection
- Encrypt tokens in transit and at rest
- Implement IP allowlisting if possible
- Monitor for suspicious API access
- Review audit log access regularly
GitHub Enterprise Features
Enhanced Audit Events
Enterprise accounts have access to additional events:
- Git events (clone, fetch, push)
- Search events
- Code view events
- Download events
Streaming to External Systems
Enterprise can stream audit logs to:
- Amazon S3
- Azure Blob Storage
- Azure Event Hubs
- Google Cloud Storage
- Splunk
Compliance Reports
Generate compliance reports for:
- SOC 2
- ISO 27001
- HIPAA
- PCI DSS
API Examples
List Audit Events
bash
curl -H "Authorization: token YOUR_TOKEN" \
"https://api.github.com/orgs/YOUR_ORG/audit-log?per_page=100"Filter by Actor
bash
curl -H "Authorization: token YOUR_TOKEN" \
"https://api.github.com/orgs/YOUR_ORG/audit-log?actor=username"Filter by Date Range
bash
curl -H "Authorization: token YOUR_TOKEN" \
"https://api.github.com/orgs/YOUR_ORG/audit-log?after=2024-01-01&before=2024-01-31"Best Practices
- Enable All Audit Events: Collect comprehensive data for security
- Use Webhooks for Critical Events: Get real-time alerts
- Implement Event Correlation: Link related events
- Regular Token Rotation: Maintain security posture
- Monitor API Usage: Track rate limit consumption
- Archive Historical Data: Maintain long-term records
- Test Incident Scenarios: Validate detection capabilities
Support
For additional support with the GitHub Audit integration, please contact the Datable support team or refer to the GitHub Audit Log documentation.