Audit log streaming can now be configured via GitHub's REST APIs - Private Beta

[boylejj]

New Private Beta Coming Soon

Summary

This release introduces a set of audit log streaming REST API endpoints that allow Enterprise Admins to perform the following audit log streaming actions:

1. GET Endpoint: Retrieve the audit log streaming configurations.
2. Stream Key Endpoint: Provide the customer with an audit streaming key. This key is essential for our customers to encrypt their secrets before sending them via an API call.
3. POST Endpoint: Create new audit log stream configurations.
4. PUT Endpoint: Update existing audit log stream configurations.
5. DELETE Endpoint: Delete existing audit log stream configurations.

With these new REST API endpoint, Enterprise administrators can programmatically create, update, delete and list their Enterprise's audit log streams. By allowing programmatic updates to the audit log streaming configuration, customers can programmatically rotate audit log streaming secrets further secure their audit log stream.

Rate Limits

These REST API endpoints will enforce a limit of 15 calls per hour.

GET Endpoint: Retrieve the audit log streaming configurations.

GET /enterprises/{enterprise_id}/audit-log/streams

Request:

GET /enterprises/1234/audit-log/streams

Response

{
  "id": 1,
  "stream_type": "DataDog",
  "stream_details": "US",
  "enabled": true,
  "created_at": "2024-06-06T08:00:00Z",
  "updated_at": "2024-06-06T08:00:00Z",
  "paused_at": null
}

GET /enterprises/{enterprise_id}/audit-log/streams/{stream_id}

Request

GET /enterprises/1234/audit-log/streams/1

Response

{
  "id": 1,
  "stream_type": "DataDog",
  "stream_details": "US",
  "enabled": true,
  "created_at": "2024-06-06T08:00:00Z",
  "updated_at": "2024-06-06T08:00:00Z",
  "paused_at": null
}

Stream Key Endpoint: Provide the customer with an audit streaming key.

When performing a POST or PUT operation, customers will need to transmit encrypted secrets to GitHub to configure audit log
streaming. To do so, the customer will need to have the audit log streaming key as input to the encryption process.

GET /enterprises/{enterprise_id}/audit-log/stream-key

Request

GET /enterprises/1234/audit-log/stream-key

Response

{
"key_id": "{key_id value}",
"key" : {key value}",
}

POST Endpoint: Create new audit log stream configurations & PUT Endpoint: Update existing audit log stream configurations.

Prior to performing either a POST or PUT operation for an audit log stream, Enterprise Administrators must first encrypt the secret from their streaming destination (if applicable). To do so, the customer must have the stream-key from the stream key endpoint above. From there, the Enterprise Admin can follow the instructions for Encrypting secrets for the REST API using the stream key as the key. Once complete, the POST or PUT endpoints can be used to create or update the audit log streaming configuration.

PUT /enterprises/{enterprise_id}/audit-log/streams/{stream_id} for DataDog

Request

PUT /enterprises/1234/audit-log/streams/1.
Content-Type: application/json

{
  "enabled": false,
  "stream_type": "Datadog",
  "vendor_specific": {
    "encrypted_token": "NEW-SUPER-ENCRYPTED",
    "site": "US3",
    "key_id": "NEW-SUPER-SECURE_KEY"
  }
}

Response

{
  "id": 2,
  "stream_type": "Datadog",
  "stream_details": "Datadog",
  "enabled": false,
  "created_at": "2024-06-06T08:00:00Z",
  "updated_at": "2024-06-06T08:01:00Z",
  "paused_at": "2024-06-06T08:01:00Z"
}

PUT /enterprises/{enterprise_id}/audit-log/streams/{stream_id} for Splunk

Request

PUT /enterprises/1234/audit-log/streams/2
Content-Type: application/json

{
  "enabled": false,
  "stream_type": "Splunk",
  "vendor_specific": {
    "key_id": "v1",
    "domain": "new.splunk.domain",
    "port": 8089,
    "encrypted_token": "NEW-SPLUNK-TOKEN",
    "ssl_verify": true
  }
}

Response

{
  "id": 2,
  "stream_type": "Splunk",
  "stream_details": "new.splunk.domain:8089",
  "enabled": false,
  "created_at": "2024-06-06T08:00:00Z",
  "updated_at": "2024-06-06T08:01:00Z",
  "paused_at": "2024-06-06T08:01:00Z"
}

PUT /enterprises/{enterprise_id}/audit-log/streams/{stream_id} for Azure Blob Storage

Request

PUT /enterprises/1234/audit-log/streams/3
Content-Type: application/json

{
  "enabled": false,
  "stream_type": "Azure Blob Storage",
  "vendor_specific": {
    "key_id": "v1",
    "encrypted_sas_url": "<encrypted_sas_url>"
  }
}

Response

{
  "id": 3,
  "stream_type": "Azure Blob Storage",
  "stream_details": "newaccount:newcontainer",
  "enabled": false,
  "created_at": "2024-06-06T08:00:00Z",
  "updated_at": "2024-06-06T08:01:00Z",
  "paused_at": "2024-06-06T08:01:00Z"
}

PUT /enterprises/{enterprise_id}/audit-log/streams/{stream_id} for Azure Event Hubs

Request

PUT /enterprises/1234/audit-log/streams/4
Content-Type: application/json

{
  "enabled": false,
  "stream_type": "Azure Event Hubs",
  "vendor_specific": {
    "key_id": "v1",
    "name": "new-instance-name-of-azure-event-hubs",
    "encrypted_connstring": "<encrypted_connection_string"
  }
}

Response

{
  "id": 4,
  "stream_type": "Azure Event Hubs",
  "stream_details": "new-instance-name-of-azure-event-hubs",
  "enabled": false,
  "created_at": "2024-06-06T08:00:00Z",
  "updated_at": "2024-06-06T08:01:00Z",
  "paused_at": "2024-06-06T08:01:00Z"
}

PUT /enterprises/{enterprise_id}/audit-log/streams/{stream_id} for Google Cloud Storage

Request

PUT /enterprises/1234/audit-log/streams/5
Content-Type: application/json

{
  "enabled": false,
  "stream_type": "Google Cloud Storage",
  "vendor_specific": {
    "key_id": "v1",
    "bucket": "<bucket_name>",
    "encrypted_json_credentials": "<encrypted_json_credentials>"
  }
}

Response

{
  "id": 5,
  "stream_type": "Google Cloud Storage",
  "stream_details": "newprojectid",
  "enabled": false,
  "created_at": "2024-06-06T08:00:00Z",
  "updated_at": "2024-06-06T08:01:00Z",
  "paused_at": "2024-06-06T08:01:00Z"
}

PUT /enterprises/{enterprise_id}/audit-log/streams/{stream_id} Amazon S3 with Access Keys

Request

PUT /enterprises/1234/audit-log/streams/1
Content-Type: application/json

{
"enabled": false,
"stream_type": "Amazon S3",
"vendor_specific": {
  "bucket": "new-bucket",
  "key_id": "new-key-id",
  "encrypted_access_key_id": "new-encrypted-access-key-id",
  "encrypted_secret_key": "new-encrypted-secret-key",
  "authentication_type": "access_keys",
  "region": "us-west-2"
}
}

Response

{
  "id": 1,
  "stream_type": "Amazon S3",
  "stream_details": "new-bucket",
  "enabled": false,
  "created_at": "2024-06-06T08:02:35.479Z",
  "updated_at": "2024-06-06T08:02:35.479Z",
  "paused_at": null
}

PUT /enterprises/{enterprise_id}/audit-log/streams/{stream_id} Amazon S3 with OIDC

Request

PUT /enterprises/1234/audit-log/streams/1
Content-Type: application/json

{
"enabled": false,
"stream_type": "Amazon S3",
"vendor_specific": {
  "bucket": "new-bucket",
  "key_id": "new-key-id",
  "authentication_type": "oidc",
  "arn_role": "<arn_role_string>",
  "region": "us-west-2"
}
}

Response

{
  "id": 1,
  "stream_type": "Amazon S3",
  "stream_details": "new-bucket",
  "enabled": false,
  "created_at": "2024-06-06T08:02:35.479Z",
  "updated_at": "2024-06-06T08:02:35.479Z",
  "paused_at": null
}

DELETE Endpoint: Delete existing audit log stream configurations.

DELETE /enterprises/{enterprise_id}/audit-log/streams/{stream_id}

Request

DELETE /enterprises/1234/audit-log/streams/1

Response

{}

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐