GitHub Audit Log
Overview
GitHub provides organization-level audit logging that tracks user actions across repositories, teams, and settings. KYRA MDR collects audit events via the GitHub Audit Log API or webhook streaming to detect unauthorized repository access, permission changes, and secret exposure.
Prerequisites
- KYRA MDR account (MDR tier or above)
- KYRA Collector installed with outbound HTTPS access to
api.github.com - GitHub Organization (audit log API requires GitHub Enterprise Cloud for full event access)
- Personal access token (classic) with
admin:organdread:audit_logscopes, or a GitHub App with organization permissions
Configuration
Step 1: Create a Personal Access Token
- Go to GitHub > Settings > Developer settings > Personal access tokens > Tokens (classic)
- Click Generate new token (classic)
- Select scopes:
admin:org,read:audit_log - Set expiration and click Generate token
Alternatively, use a GitHub App with organization_administration: read permission.
Step 2: Configure KYRA Collector
source: type: github-audit token: "<PERSONAL_ACCESS_TOKEN>" organizations: - "your-org-name" poll_interval: 300 # seconds collect: - audit_log # org-level audit events include_events: # optional filter - repo.* - org.* - team.* - member.* - secret_scanning_alert.*kyra-collector reloadkyra-collector statusStep 3: Verify API Access
Test the Audit Log API directly:
# List recent audit eventscurl -s -H "Authorization: Bearer <TOKEN>" \ -H "Accept: application/vnd.github+json" \ "https://api.github.com/orgs/<ORG>/audit-log?per_page=5" \ | jq '.[] | {action, actor, created_at, actor_location}'
# Filter by specific event categorycurl -s -H "Authorization: Bearer <TOKEN>" \ "https://api.github.com/orgs/<ORG>/audit-log?phrase=action:repo.destroy&per_page=10" \ | jq '.[] | {action, actor, repo, created_at}'Using the GitHub CLI:
# Install gh CLI if needed# https://cli.github.com/
# List recent audit log entriesgh api orgs/<ORG>/audit-log --paginate --jq '.[] | {action, actor, created_at}' | head -20
# Filter for member eventsgh api "orgs/<ORG>/audit-log?phrase=action:org.add_member" \ --jq '.[] | {action, actor, user, created_at}'
# Export full audit log to filegh api orgs/<ORG>/audit-log --paginate > audit-log-export.jsonStep 4: Configure Audit Log Streaming (Optional)
GitHub Enterprise Cloud supports streaming audit logs to external destinations:
- Go to Organization Settings > Audit log > Log streaming
- Choose a destination:
- Amazon S3: Configure bucket, region, access key
- Azure Event Hubs: Configure namespace, event hub name, SAS connection string
- Google Cloud Storage: Configure bucket, JSON credentials
- Splunk: Configure HEC token, URL
- Enable the stream and verify events arrive
For KYRA MDR, stream to S3 and configure the Collector to read from the bucket:
source: type: s3 bucket: "kyra-github-audit-logs" region: "ap-northeast-2" prefix: "github-audit/" poll_interval: 60 format: jsonStep 5: Verify on KYRA Collector
kyra-collector logs --source github-audit --tail 10Collected Log Types
| Log Type | Description | Security Use |
|---|---|---|
repo.* | Repository create, delete, visibility change, transfer, archive | Code access control |
org.* | Organization member add/remove, role changes, SSO configuration | Identity governance |
team.* | Team create/delete, member add/remove, repository access changes | Privilege management |
member.* | Collaborator invitations, permission changes | Access reviews |
secret_scanning_alert.* | Secret detection alerts created, resolved, reopened | Secret exposure response |
private_vulnerability_reporting.* | Vulnerability reports received and triaged | Vulnerability management |
protected_branch.* | Branch protection rule changes | Code integrity |
Security-Critical GitHub Events
| Event | Indicator | Description |
|---|---|---|
repo.access visibility to public | Data exposure | Private repo made public |
repo.destroy | Data destruction | Repository permanently deleted |
org.remove_member followed by repo.destroy | Insider threat | Departing member deleting repositories |
protected_branch.destroy | Control bypass | Branch protection removed |
org.disable_two_factor_requirement | Security downgrade | MFA requirement disabled for organization |
secret_scanning_alert.create | Credential leak | Secret detected in committed code |
integration_installation.create | Supply chain risk | New GitHub App installed on organization |
Troubleshooting
- 404 Not Found: Audit log API requires GitHub Enterprise Cloud. Free and Team plans have limited audit log access via the web UI only.
- 401 Bad credentials: Verify the PAT has not expired and has
admin:organdread:audit_logscopes. - Incomplete events: The REST API returns events from the last 90 days. For longer retention, enable audit log streaming to S3 or similar.
- Rate limiting (403): GitHub API allows 5000 requests/hour for authenticated users. Use
per_page=100and pagination cursors to reduce request count. - Missing actor_location: IP-based geolocation data is only available for Enterprise Cloud organizations with IP allow lists enabled.
Contact kyra@seekerslab.com for integration support.