Wazuh GitHub - Organization Audit Monitoring

Wazuh provides security monitoring for GitHub organizations through the github module, which collects audit events via the GitHub Audit Log API. The module tracks repository operations, member and team management, organization settings changes, and git operations. This integration enables detection of repository visibility changes, external collaborator additions, secret scanning alerts, and other critical actions within a GitHub organization.

GitHub Audit Log API

The GitHub Audit Log API provides access to the audit log of a GitHub Enterprise Cloud organization. The API records all actions performed by organization members, including administrative operations and git events.

Using the API requires:

A GitHub Enterprise Cloud subscription
Owner status in the GitHub organization
A personal access token with the appropriate scopes

Personal Access Token

Creating a Token

Navigate to Settings - Developer settings - Personal access tokens - Tokens (classic)
Select Generate new token (classic)
Provide a descriptive name (for example, Wazuh Audit Log Reader)
Set an expiration period
Select the required scopes

Required Scopes

Scope	Description
`admin:org`	Full access to organization management (includes audit log read)
`audit_log`	Read the organization audit log
`repo`	Access to repository events (for private repositories)

The minimum required scope is audit_log. The admin:org scope provides extended access to member and team management events.

Select Generate token
Copy the token (displayed only once)

Module Configuration (github)

The module is configured in ossec.conf on the Wazuh server.

Basic Configuration

<github>
  <enabled>yes</enabled>
  <interval>1m</interval>
  <time_delay>1m</time_delay>
  <curl_max_size>1M</curl_max_size>
  <only_future_events>yes</only_future_events>
  <api_auth>
    <org_name>my-organization</org_name>
    <api_token>ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</api_token>
  </api_auth>
  <api_parameters>
    <event_type>all</event_type>
  </api_parameters>
</github>

Monitoring Web Events Only

<github>
  <enabled>yes</enabled>
  <interval>5m</interval>
  <time_delay>1m</time_delay>
  <curl_max_size>1M</curl_max_size>
  <only_future_events>yes</only_future_events>
  <api_auth>
    <org_name>my-organization</org_name>
    <api_token>ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</api_token>
  </api_auth>
  <api_parameters>
    <event_type>web</event_type>
  </api_parameters>
</github>

Multi-Organization Monitoring

<github>
  <enabled>yes</enabled>
  <interval>1m</interval>
  <time_delay>1m</time_delay>
  <curl_max_size>1M</curl_max_size>
  <only_future_events>yes</only_future_events>
  <api_auth>
    <org_name>production-org</org_name>
    <api_token>ghp_production_token_xxxxxxxxxxxxx</api_token>
  </api_auth>
  <api_auth>
    <org_name>development-org</org_name>
    <api_token>ghp_development_token_xxxxxxxxxxxxx</api_token>
  </api_auth>
  <api_parameters>
    <event_type>all</event_type>
  </api_parameters>
</github>

Module Parameters

Parameter	Default	Description
`enabled`	yes	Enable or disable the module
`interval`	10m	API polling interval (s/m/h/d)
`time_delay`	30s	Scan delay to account for API lag
`curl_max_size`	1M	Maximum API response size
`only_future_events`	yes	Collect only new events after the first run
`org_name`	-	GitHub organization name
`api_token`	-	Personal access token
`event_type`	all	Event type to monitor (all, web, git)

Monitored Event Types

Web Category

Web events cover administrative actions within the organization:

Category	Example Events
Repositories	Creation, deletion, visibility changes, archiving, forking
Organization	Settings changes, policy updates, renaming
Teams	Creation, deletion, member additions and removals
Members	Invitations, removals, role changes
Webhooks	Creation, deletion, configuration changes
Applications	Installation, removal, permission changes for GitHub Apps
Secret scanning	Secret detection in code, alert creation
Dependabot	Dependency vulnerability alerts

Git Category

Git events capture code-level operations:

Event	Description
`git.clone`	Repository cloning
`git.fetch`	Fetching changes from a remote repository
`git.push`	Pushing changes to a remote repository

Alert Examples

Repository Visibility Change

{
  "rule": {
    "id": "91400",
    "level": 9,
    "description": "GitHub: Repository visibility changed to public"
  },
  "data": {
    "github": {
      "action": "repo.access",
      "actor": "admin-user",
      "org": "my-organization",
      "repo": "my-organization/internal-tools",
      "visibility": "public",
      "created_at": "2025-01-15T10:30:00Z"
    }
  }
}

External Collaborator Added

{
  "rule": {
    "id": "91410",
    "level": 6,
    "description": "GitHub: External collaborator added to repository"
  },
  "data": {
    "github": {
      "action": "repo.add_member",
      "actor": "repo-admin",
      "org": "my-organization",
      "repo": "my-organization/production-app",
      "user": "external-developer",
      "created_at": "2025-01-15T11:00:00Z"
    }
  }
}

Secret Scanning Alert

{
  "rule": {
    "id": "91420",
    "level": 12,
    "description": "GitHub: Secret detected in repository code"
  },
  "data": {
    "github": {
      "action": "secret_scanning_alert.created",
      "actor": "github-bot",
      "org": "my-organization",
      "repo": "my-organization/api-service",
      "data": {
        "alert_number": 42,
        "secret_type": "aws_access_key_id",
        "resolution": null
      }
    }
  }
}

Team Deletion

{
  "rule": {
    "id": "91430",
    "level": 7,
    "description": "GitHub: Team deleted from organization"
  },
  "data": {
    "github": {
      "action": "team.destroy",
      "actor": "org-owner",
      "org": "my-organization",
      "team": "security-team",
      "created_at": "2025-01-15T14:00:00Z"
    }
  }
}

Use Cases

Detecting Repository Visibility Changes

Changing a private repository to public
Modifying fork settings for private repositories
Archiving active repositories
Deleting repositories containing production code

Monitoring New Collaborators

Adding external collaborators to repositories with critical code
Inviting users to the organization with the Owner role
Adding members to teams with access to production repositories
Changing permissions for existing members

Monitoring Secret Scanning

Detection of AWS, GCP, and Azure API keys in code
Detection of database tokens and service account credentials
Detection of SSH private keys and TLS certificates
Tracking resolution status of detected secrets

Controlling Administrative Actions

Organization policy changes (requiring 2FA, restricting forks)
Installation and removal of GitHub Apps with elevated permissions
Creation and modification of webhook configurations
Changes to branch protection rules

Troubleshooting

Module Not Receiving Events

Verify the organization has a GitHub Enterprise Cloud subscription
Confirm the token was created by an organization Owner
Check that the token includes the audit_log or admin:org scope
Ensure the organization name is correctly specified in org_name
Review the log file: /var/ossec/logs/ossec.log

401 Unauthorized Error

Verify the token has not been revoked or expired
Confirm the token is a classic personal access token, not fine-grained
Check that SSO is authorized for the token (if the organization uses SAML SSO)

Incomplete Audit Data

Git events are only available with a GitHub Enterprise Cloud subscription
Some events may be delayed by up to 30 minutes
Increase time_delay to account for API lag
For the initial run, set only_future_events to no

Rate Limit Error

The GitHub API limits requests to 1750 per hour for Enterprise
Increase the interval value (for example, to 5m or 10m)
For organizations with high activity, consider filtering by event_type

Related Sections

Cloud Security Monitoring - overview of cloud integrations
Office 365 Monitoring - Microsoft 365 integration
Wazuh Capabilities - platform security modules

Last updated on 8, April 2026

Wazuh GCP - Google Cloud Platform Monitoring Wazuh Office 365 - Microsoft 365 Audit Monitoring