GitHub Enterprise Audit Log Stream Evidence

Cloud & SaaSCloud InfrastructureGitHubCloud Control PlaneSIEM / Log Aggregator

Location

GitHub Enterprise audit log streaming destination and sink records

Description

Forwarded enterprise audit events and stream-configuration evidence that preserve GitHub activity in an external SIEM, object store, or event-processing destination beyond the native UI lookback.

Forensic Value

Audit log streaming is often the only durable source for older GitHub activity. It preserves events that may have rolled out of the UI/API window and also shows whether audit delivery itself was changed, disabled, or redirected during the intrusion.

Tools Required

GitHub Enterprise administrationStreaming destinationSIEM

Collection Commands

GitHub UI

Enterprise settings > Audit log > Streaming > Document destination type, endpoint, health, and any recent changes, then preserve streamed records for the incident window

SIEM / Object Store

Export the GitHub audit-log stream destination records covering the incident window and preserve sink configuration side by side with the events

Collection Constraints

•Historical coverage exists only if audit-log streaming was configured before the incident and the sink retained the data.
•Investigators must preserve both the events and the stream configuration to prove whether delivery gaps were caused by retention, disablement, or sink failure.

MITRE ATT&CK Techniques

T1562T1098

References

Streaming the audit log for your enterprise

Acquisition Methods

GitHub Enterprise Audit Log Export

linux — cloud