pC_githubgjsonappactivitydocument_id.md

June 15, 2026 ยท View on GitHub

Parser Content

{
Name = "github-g-json-app-activity-document_id"
	Vendor = "GitHub"
	Product = "GitHub"
	TimeFormat = "epoch"
	ExtractionType = json
	Conditions = [
	  """"_document_id":"""
	  """"operation_type":"""
	  """"action":"""
	]
	Fields = [
        """exa_json_path=$..@timestamp,exa_field_name=time"""
        """exa_json_path=$.._document_id,exa_field_name=doc_id"""
        """exa_json_path=$..token_scopes,exa_field_name=authorization_scope"""
        """exa_json_path=$..oauth_credential_type,exa_field_name=object_type""",
         """exa_json_path=$..application_name,exa_field_name=app"""
        """exa_json_path=$..programmatic_access_type,exa_field_name=access_type"""
        """exa_json_path=$..user,exa_field_name=user"""
        """exa_json_path=$..user_agent,exa_field_name=user_agent"""
        """exa_json_path=$..user_id,exa_field_name=user_id"""
        """exa_json_path=$..operation_type,exa_field_name=operation_type"""
        """exa_json_path=$..business,exa_field_name=company"""
        """exa_json_path=$.action,exa_field_name=action"""
        """exa_json_path=$.attributes.action,exa_field_name=action"""
        """exa_json_path=$..email,exa_regex=({email_address}[A-Za-z0-9!#$%&'+\/=?^_`~.-]+@[^\]\s"\\,\|]+.[^\]\s"\\,\|]+)"""
        """exa_json_path=$..external_identity_username,exa_field_name=user_ou"""
        """exa_json_path=$..actor_location.country_code,exa_field_name=country_code"""
        """exa_json_path=$.external_identity_username,exa_regex=(({email_address}[A-Za-z0-9!#$%&'+\/=?^_`~.-]+@[^\]\s"\\,;\|]+\.[^\]\s"\\,;\|]+)|({user}[\w\.\-\!\#\^\~]{1,40}\$?))""",
        """exa_json_path=$.external_identity_username,exa_regex=^[^@"]+?@({domain}[^"]+)$"""
        """exa_json_path=$.actor_ip,exa_regex=({src_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){0,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({src_port}\d+))?"""
        """exa_json_path=$..actor_id,exa_field_name=user_id"""
        """exa_json_path=$.oauth_application_name,exa_field_name=app"""
        """"actor_id":\s*({user_id}[^",]+)"""
        """"@timestamp":({time}\d{13}),""",
        """({host}\S+)\s+github_audit:""",
        """"_document_id":\s*"({doc_id}[^"]+)"""",
        """"user":\s*"({user}[\w\.\-\!\#\^\~]{1,40}\$?)"""",
        """"user_agent":\s*"({user_agent}[^"]+)"""",
        """"user_id":\s*({user_id}\d+)""",
        """"operation_type":\s*"({operation_type}[^"]+)"""",
        """"business":\s*"({company}[^"]+)"""",
        """"action":\s*"({action}[^"]+)"""",
        """"email":\s*"({email_address}[A-Za-z0-9!#$%&'+\/=?^_`~.-]+@[^\]\s"\\,\|]+.[^\]\s"\\,\|]+)"""",
        """"country_code":\s*"({country_code}[^"]+)"""",
        """"actor_ip":\s*"({src_ip}((([0-9a-fA-F.]{0,4}):{1,2}){1,7}([0-9a-fA-F]){0,4})|(((25[0-5]|(2[0-4]|1\d|[0-9]|)\d)\.?\b){4}))(:({src_port}\d+))?""""
	]
	ParserVersion = "v1.0.0"


}