From b1a8b4322d553b76979b9575fd1ecb9f237d3248 Mon Sep 17 00:00:00 2001
From: Jamie Magee <jamagee@microsoft.com>
Date: Fri, 26 Sep 2025 21:02:26 +0100
Subject: [PATCH 1/4] Update token environment variable in OIDC guide (#57719)

---
 .../security-harden-deployments/oidc-in-cloud-providers.md      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-cloud-providers.md b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-cloud-providers.md
index e3db04d6c6bb..d8d0d4d4b6d0 100644
--- a/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-cloud-providers.md
+++ b/content/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-cloud-providers.md
@@ -104,7 +104,7 @@ jobs:
       with:
         debug: true
         script: |
-          const token = process.env['ACTIONS_RUNTIME_TOKEN']
+          const token = process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN']
           const runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL']
           core.setOutput('TOKEN', token.trim())
           core.setOutput('IDTOKENURL', runtimeUrl.trim())

From 472cc8c051fc7584bf9848dc35b797a1b96be75d Mon Sep 17 00:00:00 2001
From: docs-bot <77750099+docs-bot@users.noreply.github.com>
Date: Fri, 26 Sep 2025 13:05:07 -0700
Subject: [PATCH 2/4] Sync secret scanning data (#57717)

Co-authored-by: Felicity Chapman <felicitymay@github.com>
---
 src/secret-scanning/data/public-docs.yml | 14 +++++++++++++-
 src/secret-scanning/lib/config.json      |  4 ++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/secret-scanning/data/public-docs.yml b/src/secret-scanning/data/public-docs.yml
index ab9098f05487..37213e5a1466 100644
--- a/src/secret-scanning/data/public-docs.yml
+++ b/src/secret-scanning/data/public-docs.yml
@@ -1412,7 +1412,7 @@
   isPublic: false
   isPrivateWithGhas: true
   hasPushProtection: true
-  hasValidityCheck: false
+  hasValidityCheck: '{% ifversion fpt or ghes %}false{% else %}true{% endif %}'
   base64Supported: false
   isduplicate: false
 - provider: Azure
@@ -4113,6 +4113,18 @@
   hasValidityCheck: '{% ifversion fpt or ghes %}false{% else %}true{% endif %}'
   base64Supported: false
   isduplicate: false
+- provider: OpenVSX
+  supportedSecret: OpenVSX Access Token
+  secretType: openvsx_access_token
+  versions:
+    fpt: '*'
+    ghec: '*'
+  isPublic: false
+  isPrivateWithGhas: true
+  hasPushProtection: false
+  hasValidityCheck: false
+  base64Supported: false
+  isduplicate: true
 - provider: Openweather
   supportedSecret: Openweather API Key
   secretType: openweather_api_key
diff --git a/src/secret-scanning/lib/config.json b/src/secret-scanning/lib/config.json
index 750012b7daec..cc9085711684 100644
--- a/src/secret-scanning/lib/config.json
+++ b/src/secret-scanning/lib/config.json
@@ -1,5 +1,5 @@
 {
-  "sha": "145ca132711fe1f6e74b2267ac61a98b12bf379f",
-  "blob-sha": "c3f0fc41ae4825e34c7726f5c6c50ff0426caffd",
+  "sha": "eccf6431f1e97d23ff7575fc7afabf9f7b27329f",
+  "blob-sha": "3f57c664f49dbf57e8c64c07e611cab51689c215",
   "targetFilename": "code-security/secret-scanning/introduction/supported-secret-scanning-patterns"
 }
\ No newline at end of file

From f579f10855fa9fa55cae8bdfe879539d9df05f54 Mon Sep 17 00:00:00 2001
From: docs-bot <77750099+docs-bot@users.noreply.github.com>
Date: Fri, 26 Sep 2025 13:05:25 -0700
Subject: [PATCH 3/4] Update OpenAPI Description (#57720)

Co-authored-by: Felicity Chapman <felicitymay@github.com>
---
 src/rest/data/fpt-2022-11-28/schema.json      | 132 +++++++++---------
 .../data/ghes-3.14-2022-11-28/schema.json     |  60 ++++----
 2 files changed, 96 insertions(+), 96 deletions(-)

diff --git a/src/rest/data/fpt-2022-11-28/schema.json b/src/rest/data/fpt-2022-11-28/schema.json
index f719dfb50eab..3bc023f6bad8 100644
--- a/src/rest/data/fpt-2022-11-28/schema.json
+++ b/src/rest/data/fpt-2022-11-28/schema.json
@@ -576,13 +576,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Deletes an artifact for a workflow run.\nOAuth tokens and personal access tokens (classic) need the <code>repo</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "204",
             "description": "<p>No Content</p>"
           }
-        ],
-        "descriptionHTML": "<p>Deletes an artifact for a workflow run.\nOAuth tokens and personal access tokens (classic) need the <code>repo</code> scope to use this endpoint.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -1491,13 +1491,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Lists the GitHub Actions caches for a repository.</p>\n<p>OAuth tokens and personal access tokens (classic) need the <code>repo</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ],
-        "descriptionHTML": "<p>Lists the GitHub Actions caches for a repository.</p>\n<p>OAuth tokens and personal access tokens (classic) need the <code>repo</code> scope to use this endpoint.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -4484,13 +4484,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Sets the GitHub Actions permissions policy for repositories and allowed actions and reusable workflows in an organization.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>admin:org</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "204",
             "description": "<p>No Content</p>"
           }
-        ],
-        "descriptionHTML": "<p>Sets the GitHub Actions permissions policy for repositories and allowed actions and reusable workflows in an organization.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>admin:org</code> scope to use this endpoint.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -9475,13 +9475,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Gets the default workflow permissions granted to the <code>GITHUB_TOKEN</code> when running workflows in a repository,\nas well as if GitHub Actions can submit approving pull request reviews.\nFor more information, see \"<a href=\"https://docs.github.com/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository\">Setting the permissions of the GITHUB_TOKEN for your repository</a>.\"</p>\n<p>OAuth tokens and personal access tokens (classic) need the <code>repo</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ],
-        "descriptionHTML": "<p>Gets the default workflow permissions granted to the <code>GITHUB_TOKEN</code> when running workflows in a repository,\nas well as if GitHub Actions can submit approving pull request reviews.\nFor more information, see \"<a href=\"https://docs.github.com/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository\">Setting the permissions of the GITHUB_TOKEN for your repository</a>.\"</p>\n<p>OAuth tokens and personal access tokens (classic) need the <code>repo</code> scope to use this endpoint.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -89643,13 +89643,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>This endpoint should only be used to stop watching a repository. To control whether or not you wish to receive notifications from a repository, <a href=\"https://docs.github.com/rest/activity/watching#set-a-repository-subscription\">set the repository's subscription manually</a>.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "204",
             "description": "<p>No Content</p>"
           }
-        ],
-        "descriptionHTML": "<p>This endpoint should only be used to stop watching a repository. To control whether or not you wish to receive notifications from a repository, <a href=\"https://docs.github.com/rest/activity/watching#set-a-repository-subscription\">set the repository's subscription manually</a>.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -113112,13 +113112,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Gets the summary of the free and paid GitHub Actions minutes used.</p>\n<p>Paid minutes only apply to workflows in private repositories that use GitHub-hosted runners. Minutes used is listed for each GitHub-hosted runner operating system. Any job re-runs are also included in the usage. The usage returned includes any minute multipliers for macOS and Windows runners, and is rounded up to the nearest whole minute. For more information, see \"<a href=\"https://docs.github.com/github/setting-up-and-managing-billing-and-payments-on-github/managing-billing-for-github-actions\">Managing billing for GitHub Actions</a>\".</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>user</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ],
-        "descriptionHTML": "<p>Gets the summary of the free and paid GitHub Actions minutes used.</p>\n<p>Paid minutes only apply to workflows in private repositories that use GitHub-hosted runners. Minutes used is listed for each GitHub-hosted runner operating system. Any job re-runs are also included in the usage. The usage returned includes any minute multipliers for macOS and Windows runners, and is rounded up to the nearest whole minute. For more information, see \"<a href=\"https://docs.github.com/github/setting-up-and-managing-billing-and-payments-on-github/managing-billing-for-github-actions\">Managing billing for GitHub Actions</a>\".</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>user</code> scope to use this endpoint.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -180884,6 +180884,7 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Sets a code security configuration as a default to be applied to new repositories in your enterprise.</p>\n<p>This configuration will be applied by default to the matching repository type when created, but only for organizations within the enterprise that do not already have a default code security configuration set.</p>\n<p>The authenticated user must be an administrator for the enterprise to use this endpoint.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>admin:enterprise</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
@@ -180897,8 +180898,7 @@
             "httpStatusCode": "404",
             "description": "<p>Resource not found</p>"
           }
-        ],
-        "descriptionHTML": "<p>Sets a code security configuration as a default to be applied to new repositories in your enterprise.</p>\n<p>This configuration will be applied by default to the matching repository type when created, but only for organizations within the enterprise that do not already have a default code security configuration set.</p>\n<p>The authenticated user must be an administrator for the enterprise to use this endpoint.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>admin:enterprise</code> scope to use this endpoint.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -186235,6 +186235,7 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Returns array of all GitHub's codes of conduct.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
@@ -186244,8 +186245,7 @@
             "httpStatusCode": "304",
             "description": "<p>Not modified</p>"
           }
-        ],
-        "descriptionHTML": "<p>Returns array of all GitHub's codes of conduct.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -223936,13 +223936,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Lists all development environment secrets available in a repository without revealing their encrypted\nvalues.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>repo</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ],
-        "descriptionHTML": "<p>Lists all development environment secrets available in a repository without revealing their encrypted\nvalues.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>repo</code> scope to use this endpoint.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -268991,13 +268991,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Enable a custom deployment protection rule for an environment.</p>\n<p>The authenticated user must have admin or owner permissions to the repository to use this endpoint.</p>\n<p>For more information about the app that is providing this custom deployment rule, see the <a href=\"https://docs.github.com/rest/apps/apps#get-an-app\">documentation for the <code>GET /apps/{app_slug}</code> endpoint</a>, as well as the <a href=\"https://docs.github.com/actions/managing-workflow-runs-and-deployments/managing-deployments/creating-custom-deployment-protection-rules\">guide to creating custom deployment protection rules</a>.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>repo</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "201",
             "description": "<p>The enabled custom deployment protection rule</p>"
           }
-        ],
-        "descriptionHTML": "<p>Enable a custom deployment protection rule for an environment.</p>\n<p>The authenticated user must have admin or owner permissions to the repository to use this endpoint.</p>\n<p>For more information about the app that is providing this custom deployment rule, see the <a href=\"https://docs.github.com/rest/apps/apps#get-an-app\">documentation for the <code>GET /apps/{app_slug}</code> endpoint</a>, as well as the <a href=\"https://docs.github.com/actions/managing-workflow-runs-and-deployments/managing-deployments/creating-custom-deployment-protection-rules\">guide to creating custom deployment protection rules</a>.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>repo</code> scope to use this endpoint.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -271153,6 +271153,7 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Users with <code>push</code> access can create deployment statuses for a given deployment.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>repo_deployment</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "201",
@@ -271162,8 +271163,7 @@
             "httpStatusCode": "422",
             "description": "<p>Validation failed, or the endpoint has been spammed.</p>"
           }
-        ],
-        "descriptionHTML": "<p>Users with <code>push</code> access can create deployment statuses for a given deployment.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>repo_deployment</code> scope to use this endpoint.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -275262,13 +275262,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Add multiple team members to an enterprise team.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>Successfully added team members.</p>"
           }
-        ],
-        "descriptionHTML": "<p>Add multiple team members to an enterprise team.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -292182,6 +292182,7 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Creates a reference for your repository. You are unable to create new references for empty repositories, even if the commit SHA-1 hash used exists. Empty repositories are repositories without branches.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "201",
@@ -292195,8 +292196,7 @@
             "httpStatusCode": "422",
             "description": "<p>Validation failed, or the endpoint has been spammed.</p>"
           }
-        ],
-        "descriptionHTML": "<p>Creates a reference for your repository. You are unable to create new references for empty repositories, even if the commit SHA-1 hash used exists. Empty repositories are repositories without branches.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -293687,6 +293687,7 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Get the content of a gitignore template.</p>\n<p>This endpoint supports the following custom media types. For more information, see \"<a href=\"https://docs.github.com/rest/using-the-rest-api/getting-started-with-the-rest-api#media-types\">Media types</a>.\"</p>\n<ul>\n<li><strong><code>application/vnd.github.raw+json</code></strong>: Returns the raw .gitignore contents.</li>\n</ul>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
@@ -293696,8 +293697,7 @@
             "httpStatusCode": "304",
             "description": "<p>Not modified</p>"
           }
-        ],
-        "descriptionHTML": "<p>Get the content of a gitignore template.</p>\n<p>This endpoint supports the following custom media types. For more information, see \"<a href=\"https://docs.github.com/rest/using-the-rest-api/getting-started-with-the-rest-api#media-types\">Media types</a>.\"</p>\n<ul>\n<li><strong><code>application/vnd.github.raw+json</code></strong>: Returns the raw .gitignore contents.</li>\n</ul>"
+        ]
       }
     ]
   },
@@ -364960,13 +364960,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Lists labels for issues in a milestone.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ],
-        "descriptionHTML": "<p>Lists labels for issues in a milestone.</p>"
+        ]
       }
     ],
     "milestones": [
@@ -401197,13 +401197,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Get Hypermedia links to resources accessible in GitHub's REST API</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ],
-        "descriptionHTML": "<p>Get Hypermedia links to resources accessible in GitHub's REST API</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -402131,13 +402131,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Returns all community profile metrics for a repository. The repository cannot be a fork.</p>\n<p>The returned metrics include an overall health score, the repository description, the presence of documentation, the\ndetected code of conduct, the detected license, and the presence of ISSUE_TEMPLATE, PULL_REQUEST_TEMPLATE,\nREADME, and CONTRIBUTING files.</p>\n<p>The <code>health_percentage</code> score is defined as a percentage of how many of\nthe recommended community health files are present. For more information, see\n\"<a href=\"https://docs.github.com/communities/setting-up-your-project-for-healthy-contributions/about-community-profiles-for-public-repositories\">About community profiles for public repositories</a>.\"</p>\n<p><code>content_reports_enabled</code> is only returned for organization-owned repositories.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ],
-        "descriptionHTML": "<p>Returns all community profile metrics for a repository. The repository cannot be a fork.</p>\n<p>The returned metrics include an overall health score, the repository description, the presence of documentation, the\ndetected code of conduct, the detected license, and the presence of ISSUE_TEMPLATE, PULL_REQUEST_TEMPLATE,\nREADME, and CONTRIBUTING files.</p>\n<p>The <code>health_percentage</code> score is defined as a percentage of how many of\nthe recommended community health files are present. For more information, see\n\"<a href=\"https://docs.github.com/communities/setting-up-your-project-for-healthy-contributions/about-community-profiles-for-public-repositories\">About community profiles for public repositories</a>.\"</p>\n<p><code>content_reports_enabled</code> is only returned for organization-owned repositories.</p>"
+        ]
       }
     ],
     "statistics": [
@@ -403708,6 +403708,7 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Get the total number of views and breakdown per day or week for the last 14 days. Timestamps are aligned to UTC midnight of the beginning of the day or week. Week begins on Monday.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
@@ -403717,8 +403718,7 @@
             "httpStatusCode": "403",
             "description": "<p>Forbidden</p>"
           }
-        ],
-        "descriptionHTML": "<p>Get the total number of views and breakdown per day or week for the last 14 days. Timestamps are aligned to UTC midnight of the beginning of the day or week. Week begins on Monday.</p>"
+        ]
       }
     ]
   },
@@ -432000,13 +432000,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Updates a hosted compute network configuration for an organization.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>write:network_configurations</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ],
-        "descriptionHTML": "<p>Updates a hosted compute network configuration for an organization.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>write:network_configurations</code> scope to use this endpoint.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -432064,13 +432064,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Deletes a hosted compute network configuration from an organization.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>write:network_configurations</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "204",
             "description": "<p>No Content</p>"
           }
-        ],
-        "descriptionHTML": "<p>Deletes a hosted compute network configuration from an organization.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>write:network_configurations</code> scope to use this endpoint.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -435350,6 +435350,7 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Approves or denies a pending request to access organization resources via a fine-grained personal access token.</p>\n<p>Only GitHub Apps can use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "204",
@@ -435371,8 +435372,7 @@
             "httpStatusCode": "500",
             "description": "<p>Internal Error</p>"
           }
-        ],
-        "descriptionHTML": "<p>Approves or denies a pending request to access organization resources via a fine-grained personal access token.</p>\n<p>Only GitHub Apps can use this endpoint.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -464936,13 +464936,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Gets information about the single most recent build of a GitHub Pages site.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>repo</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ],
-        "descriptionHTML": "<p>Gets information about the single most recent build of a GitHub Pages site.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>repo</code> scope to use this endpoint.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -561860,6 +561860,7 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Lists comments for a specific pull request review.</p>\n<p>This endpoint supports the following custom media types. For more information, see \"<a href=\"https://docs.github.com/rest/using-the-rest-api/getting-started-with-the-rest-api#media-types\">Media types</a>.\"</p>\n<ul>\n<li><strong><code>application/vnd.github-commitcomment.raw+json</code></strong>: Returns the raw markdown body. Response will include <code>body</code>. This is the default if you do not pass any specific media type.</li>\n<li><strong><code>application/vnd.github-commitcomment.text+json</code></strong>: Returns a text only representation of the markdown body. Response will include <code>body_text</code>.</li>\n<li><strong><code>application/vnd.github-commitcomment.html+json</code></strong>: Returns HTML rendered from the body's markdown. Response will include <code>body_html</code>.</li>\n<li><strong><code>application/vnd.github-commitcomment.full+json</code></strong>: Returns raw, text, and HTML representations. Response will include <code>body</code>, <code>body_text</code>, and <code>body_html</code>.</li>\n</ul>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
@@ -561869,8 +561870,7 @@
             "httpStatusCode": "404",
             "description": "<p>Resource not found</p>"
           }
-        ],
-        "descriptionHTML": "<p>Lists comments for a specific pull request review.</p>\n<p>This endpoint supports the following custom media types. For more information, see \"<a href=\"https://docs.github.com/rest/using-the-rest-api/getting-started-with-the-rest-api#media-types\">Media types</a>.\"</p>\n<ul>\n<li><strong><code>application/vnd.github-commitcomment.raw+json</code></strong>: Returns the raw markdown body. Response will include <code>body</code>. This is the default if you do not pass any specific media type.</li>\n<li><strong><code>application/vnd.github-commitcomment.text+json</code></strong>: Returns a text only representation of the markdown body. Response will include <code>body_text</code>.</li>\n<li><strong><code>application/vnd.github-commitcomment.html+json</code></strong>: Returns HTML rendered from the body's markdown. Response will include <code>body_html</code>.</li>\n<li><strong><code>application/vnd.github-commitcomment.full+json</code></strong>: Returns raw, text, and HTML representations. Response will include <code>body</code>, <code>body_text</code>, and <code>body_html</code>.</li>\n</ul>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -567516,6 +567516,7 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Create a reaction to an <a href=\"https://docs.github.com/rest/issues/comments#get-an-issue-comment\">issue comment</a>. A response with an HTTP <code>200</code> status means that you already added the reaction type to this issue comment.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
@@ -567529,8 +567530,7 @@
             "httpStatusCode": "422",
             "description": "<p>Validation failed, or the endpoint has been spammed.</p>"
           }
-        ],
-        "descriptionHTML": "<p>Create a reaction to an <a href=\"https://docs.github.com/rest/issues/comments#get-an-issue-comment\">issue comment</a>. A response with an HTTP <code>200</code> status means that you already added the reaction type to this issue comment.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -570857,13 +570857,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<div class=\"ghd-alert ghd-alert-accent\" data-container=\"alert\"><p class=\"ghd-alert-title\"><svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon mr-2\" aria-hidden><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg>Note</p>\n<p>\nYou can also specify a repository by <code>repository_id</code> using the route <code>DELETE delete /repositories/:repository_id/releases/:release_id/reactions/:reaction_id</code>.</p>\n</div>\n<p>Delete a reaction to a <a href=\"https://docs.github.com/rest/releases/releases#get-a-release\">release</a>.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "204",
             "description": "<p>No Content</p>"
           }
-        ],
-        "descriptionHTML": "<div class=\"ghd-alert ghd-alert-accent\" data-container=\"alert\"><p class=\"ghd-alert-title\"><svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon mr-2\" aria-hidden><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg>Note</p>\n<p>\nYou can also specify a repository by <code>repository_id</code> using the route <code>DELETE delete /repositories/:repository_id/releases/:release_id/reactions/:reaction_id</code>.</p>\n</div>\n<p>Delete a reaction to a <a href=\"https://docs.github.com/rest/releases/releases#get-a-release\">release</a>.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -596642,13 +596642,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ],
-        "descriptionHTML": ""
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -598601,13 +598601,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Disables dependency alerts and the dependency graph for a repository.\nThe authenticated user must have admin access to the repository. For more information,\nsee \"<a href=\"https://docs.github.com/articles/about-security-alerts-for-vulnerable-dependencies\">About security alerts for vulnerable dependencies</a>\".</p>",
         "statusCodes": [
           {
             "httpStatusCode": "204",
             "description": "<p>No Content</p>"
           }
-        ],
-        "descriptionHTML": "<p>Disables dependency alerts and the dependency graph for a repository.\nThe authenticated user must have admin access to the repository. For more information,\nsee \"<a href=\"https://docs.github.com/articles/about-security-alerts-for-vulnerable-dependencies\">About security alerts for vulnerable dependencies</a>\".</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -615905,13 +615905,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Gets a redirect URL to download a zip archive for a repository. If you omit <code>:ref</code>, the repository’s default branch (usually\n<code>main</code>) will be used. Please make sure your HTTP framework is configured to follow redirects or you will need to use\nthe <code>Location</code> header to make a second <code>GET</code> request.</p>\n<div class=\"ghd-alert ghd-alert-accent\" data-container=\"alert\"><p class=\"ghd-alert-title\"><svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon mr-2\" aria-hidden><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg>Note</p>\n<p>\nFor private repositories, these links are temporary and expire after five minutes. If the repository is empty, you will receive a 404 when you follow the redirect.</p>\n</div>",
         "statusCodes": [
           {
             "httpStatusCode": "302",
             "description": "<p>Found</p>"
           }
-        ],
-        "descriptionHTML": "<p>Gets a redirect URL to download a zip archive for a repository. If you omit <code>:ref</code>, the repository’s default branch (usually\n<code>main</code>) will be used. Please make sure your HTTP framework is configured to follow redirects or you will need to use\nthe <code>Location</code> header to make a second <code>GET</code> request.</p>\n<div class=\"ghd-alert ghd-alert-accent\" data-container=\"alert\"><p class=\"ghd-alert-title\"><svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon mr-2\" aria-hidden><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg>Note</p>\n<p>\nFor private repositories, these links are temporary and expire after five minutes. If the repository is empty, you will receive a 404 when you follow the redirect.</p>\n</div>"
+        ]
       }
     ],
     "custom-properties": [
@@ -617222,6 +617222,7 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "",
         "statusCodes": [
           {
             "httpStatusCode": "200",
@@ -617231,8 +617232,7 @@
             "httpStatusCode": "400",
             "description": "<p>Bad Request</p>"
           }
-        ],
-        "descriptionHTML": ""
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -631981,6 +631981,7 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Get the history of a repository ruleset.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
@@ -631994,8 +631995,7 @@
             "httpStatusCode": "500",
             "description": "<p>Internal Error</p>"
           }
-        ],
-        "descriptionHTML": "<p>Get the history of a repository ruleset.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -632291,6 +632291,7 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<div class=\"ghd-alert ghd-alert-attention\" data-container=\"alert\"><p class=\"ghd-alert-title\"><svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon mr-2\" aria-hidden><path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\"></path></svg>Warning</p>\n<p>\n<strong>Closing down notice:</strong> This operation is closing down and will be removed after August 30, 2024. Use the \"<a href=\"https://docs.github.com/rest/repos/rules#get-all-repository-rulesets\">Repository Rulesets</a>\" endpoint instead.</p>\n</div>\n<p>This returns the tag protection states of a repository.</p>\n<p>This information is only available to repository administrators.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
@@ -632304,8 +632305,7 @@
             "httpStatusCode": "404",
             "description": "<p>Resource not found</p>"
           }
-        ],
-        "descriptionHTML": "<div class=\"ghd-alert ghd-alert-attention\" data-container=\"alert\"><p class=\"ghd-alert-title\"><svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon mr-2\" aria-hidden><path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\"></path></svg>Warning</p>\n<p>\n<strong>Closing down notice:</strong> This operation is closing down and will be removed after August 30, 2024. Use the \"<a href=\"https://docs.github.com/rest/repos/rules#get-all-repository-rulesets\">Repository Rulesets</a>\" endpoint instead.</p>\n</div>\n<p>This returns the tag protection states of a repository.</p>\n<p>This information is only available to repository administrators.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -691276,13 +691276,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<p>Deletes a comment on a team discussion.</p>\n<div class=\"ghd-alert ghd-alert-accent\" data-container=\"alert\"><p class=\"ghd-alert-title\"><svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon mr-2\" aria-hidden><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg>Note</p>\n<p>\nYou can also specify a team by <code>org_id</code> and <code>team_id</code> using the route <code>DELETE /organizations/{org_id}/team/{team_id}/discussions/{discussion_number}/comments/{comment_number}</code>.</p>\n</div>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>write:discussion</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "204",
             "description": "<p>No Content</p>"
           }
-        ],
-        "descriptionHTML": "<p>Deletes a comment on a team discussion.</p>\n<div class=\"ghd-alert ghd-alert-accent\" data-container=\"alert\"><p class=\"ghd-alert-title\"><svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon mr-2\" aria-hidden><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg>Note</p>\n<p>\nYou can also specify a team by <code>org_id</code> and <code>team_id</code> using the route <code>DELETE /organizations/{org_id}/team/{team_id}/discussions/{discussion_number}/comments/{comment_number}</code>.</p>\n</div>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>write:discussion</code> scope to use this endpoint.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
@@ -693077,13 +693077,13 @@
           }
         ],
         "previews": [],
+        "descriptionHTML": "<div class=\"ghd-alert ghd-alert-attention\" data-container=\"alert\"><p class=\"ghd-alert-title\"><svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon mr-2\" aria-hidden><path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\"></path></svg>Warning</p>\n<p>\n<strong>Endpoint closing down notice:</strong> This endpoint route is closing down and will be removed from the Teams API. We recommend migrating your existing code to use the new <a href=\"https://docs.github.com/rest/teams/discussion-comments#update-a-discussion-comment\">Update a discussion comment</a> endpoint.</p>\n</div>\n<p>Edits the body text of a discussion comment.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>write:discussion</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ],
-        "descriptionHTML": "<div class=\"ghd-alert ghd-alert-attention\" data-container=\"alert\"><p class=\"ghd-alert-title\"><svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon mr-2\" aria-hidden><path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\"></path></svg>Warning</p>\n<p>\n<strong>Endpoint closing down notice:</strong> This endpoint route is closing down and will be removed from the Teams API. We recommend migrating your existing code to use the new <a href=\"https://docs.github.com/rest/teams/discussion-comments#update-a-discussion-comment\">Update a discussion comment</a> endpoint.</p>\n</div>\n<p>Edits the body text of a discussion comment.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>write:discussion</code> scope to use this endpoint.</p>"
+        ]
       },
       {
         "serverUrl": "https://api.github.com",
diff --git a/src/rest/data/ghes-3.14-2022-11-28/schema.json b/src/rest/data/ghes-3.14-2022-11-28/schema.json
index f33e2fb442e2..ac905a06d112 100644
--- a/src/rest/data/ghes-3.14-2022-11-28/schema.json
+++ b/src/rest/data/ghes-3.14-2022-11-28/schema.json
@@ -10665,13 +10665,13 @@
           }
         ],
         "previews": [],
-        "descriptionHTML": "<p>Removes a self-hosted runner from a group configured in an enterprise. The runner is then returned to the default group.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>manage_runners:enterprise</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "204",
             "description": "<p>No Content</p>"
           }
-        ]
+        ],
+        "descriptionHTML": "<p>Removes a self-hosted runner from a group configured in an enterprise. The runner is then returned to the default group.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>manage_runners:enterprise</code> scope to use this endpoint.</p>"
       },
       {
         "serverUrl": "http(s)://HOSTNAME/api/v3",
@@ -10871,13 +10871,13 @@
           }
         ],
         "previews": [],
-        "descriptionHTML": "<p>Lists all self-hosted runner groups configured in an organization and inherited from an enterprise.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>admin:org</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ]
+        ],
+        "descriptionHTML": "<p>Lists all self-hosted runner groups configured in an organization and inherited from an enterprise.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>admin:org</code> scope to use this endpoint.</p>"
       },
       {
         "serverUrl": "http(s)://HOSTNAME/api/v3",
@@ -11069,13 +11069,13 @@
           }
         ],
         "previews": [],
-        "descriptionHTML": "<p>Creates a new self-hosted runner group for an organization.</p>\n<p>OAuth tokens and personal access tokens (classic) need the <code>admin:org</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "201",
             "description": "<p>Created</p>"
           }
-        ]
+        ],
+        "descriptionHTML": "<p>Creates a new self-hosted runner group for an organization.</p>\n<p>OAuth tokens and personal access tokens (classic) need the <code>admin:org</code> scope to use this endpoint.</p>"
       },
       {
         "serverUrl": "http(s)://HOSTNAME/api/v3",
@@ -63616,13 +63616,13 @@
           }
         ],
         "previews": [],
-        "descriptionHTML": "<p>If you are authenticated as the given user, you will see your private events. Otherwise, you'll only see public events. <em>Optional</em>: use the fine-grained token with following permission set to view private events: \"Events\" user permissions (read).</p>\n<div class=\"ghd-alert ghd-alert-accent\" data-container=\"alert\"><p class=\"ghd-alert-title\"><svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon mr-2\" aria-hidden><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg>Note</p>\n<p>\nThis API is not built to serve real-time use cases. Depending on the time of day, event latency can be anywhere from 30s to 6h.</p>\n</div>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ]
+        ],
+        "descriptionHTML": "<p>If you are authenticated as the given user, you will see your private events. Otherwise, you'll only see public events. <em>Optional</em>: use the fine-grained token with following permission set to view private events: \"Events\" user permissions (read).</p>\n<div class=\"ghd-alert ghd-alert-accent\" data-container=\"alert\"><p class=\"ghd-alert-title\"><svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon mr-2\" aria-hidden><path d=\"M0 8a8 8 0 1 1 16 0A8 8 0 0 1 0 8Zm8-6.5a6.5 6.5 0 1 0 0 13 6.5 6.5 0 0 0 0-13ZM6.5 7.75A.75.75 0 0 1 7.25 7h1a.75.75 0 0 1 .75.75v2.75h.25a.75.75 0 0 1 0 1.5h-2a.75.75 0 0 1 0-1.5h.25v-2h-.25a.75.75 0 0 1-.75-.75ZM8 6a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z\"></path></svg>Note</p>\n<p>\nThis API is not built to serve real-time use cases. Depending on the time of day, event latency can be anywhere from 30s to 6h.</p>\n</div>"
       },
       {
         "serverUrl": "http(s)://HOSTNAME/api/v3",
@@ -83452,13 +83452,13 @@
           }
         ],
         "previews": [],
-        "descriptionHTML": "<p>Lists all notifications for the current user in the specified repository.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ]
+        ],
+        "descriptionHTML": "<p>Lists all notifications for the current user in the specified repository.</p>"
       },
       {
         "serverUrl": "http(s)://HOSTNAME/api/v3",
@@ -104502,7 +104502,6 @@
           }
         ],
         "previews": [],
-        "descriptionHTML": "<p>List repositories that an app installation can access.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
@@ -104520,7 +104519,8 @@
             "httpStatusCode": "403",
             "description": "<p>Forbidden</p>"
           }
-        ]
+        ],
+        "descriptionHTML": "<p>List repositories that an app installation can access.</p>"
       },
       {
         "serverUrl": "http(s)://HOSTNAME/api/v3",
@@ -207224,13 +207224,13 @@
           }
         ],
         "previews": [],
-        "descriptionHTML": "",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ]
+        ],
+        "descriptionHTML": ""
       },
       {
         "serverUrl": "http(s)://HOSTNAME/api/v3",
@@ -212205,7 +212205,6 @@
           }
         ],
         "previews": [],
-        "descriptionHTML": "<p>Applies settings on your instance. For a list of the available settings, see the <a href=\"https://docs.github.com/enterprise-server@3.14/rest/enterprise-admin/management-console#get-settings\">Get settings endpoint</a>.</p>\n<p><strong>Notes:</strong></p>\n<ul>\n<li>The request body for this operation must be submitted as <code>application/x-www-form-urlencoded</code> data. You can submit a parameter value as a string, or you can use a tool such as <code>curl</code> to submit a parameter value as the contents of a text file. For more information, see the <a href=\"https://curl.se/docs/manpage.html#--data-urlencode\"><code>curl</code> documentation</a>.</li>\n<li>You cannot set the management console password with the Enterprise administration API. Use the <code>ghe-set-password</code> utility to change the management console password. For more information, see \"<a href=\"https://docs.github.com/enterprise-server@3.14/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-set-password\">Command-line utilities</a>.\"</li>\n</ul>",
         "statusCodes": [
           {
             "httpStatusCode": "204",
@@ -212215,7 +212214,8 @@
             "httpStatusCode": "401",
             "description": "<p>Unauthorized</p>"
           }
-        ]
+        ],
+        "descriptionHTML": "<p>Applies settings on your instance. For a list of the available settings, see the <a href=\"https://docs.github.com/enterprise-server@3.14/rest/enterprise-admin/management-console#get-settings\">Get settings endpoint</a>.</p>\n<p><strong>Notes:</strong></p>\n<ul>\n<li>The request body for this operation must be submitted as <code>application/x-www-form-urlencoded</code> data. You can submit a parameter value as a string, or you can use a tool such as <code>curl</code> to submit a parameter value as the contents of a text file. For more information, see the <a href=\"https://curl.se/docs/manpage.html#--data-urlencode\"><code>curl</code> documentation</a>.</li>\n<li>You cannot set the management console password with the Enterprise administration API. Use the <code>ghe-set-password</code> utility to change the management console password. For more information, see \"<a href=\"https://docs.github.com/enterprise-server@3.14/admin/configuration/configuring-your-enterprise/command-line-utilities#ghe-set-password\">Command-line utilities</a>.\"</li>\n</ul>"
       },
       {
         "serverUrl": "http(s)://HOSTNAME",
@@ -224531,13 +224531,13 @@
           }
         ],
         "previews": [],
-        "descriptionHTML": "<p>Note that you'll need to set <code>Content-Length</code> to zero when calling out to this endpoint. For more information, see \"<a href=\"https://docs.github.com/enterprise-server@3.14/rest/guides/getting-started-with-the-rest-api#http-method\">HTTP method</a>.\"</p>",
         "statusCodes": [
           {
             "httpStatusCode": "204",
             "description": "<p>No Content</p>"
           }
-        ]
+        ],
+        "descriptionHTML": "<p>Note that you'll need to set <code>Content-Length</code> to zero when calling out to this endpoint. For more information, see \"<a href=\"https://docs.github.com/enterprise-server@3.14/rest/guides/getting-started-with-the-rest-api#http-method\">HTTP method</a>.\"</p>"
       },
       {
         "serverUrl": "http(s)://HOSTNAME/api/v3",
@@ -319842,13 +319842,13 @@
           }
         ],
         "previews": [],
-        "descriptionHTML": "<p>Get Hypermedia links to resources accessible in GitHub's REST API</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ]
+        ],
+        "descriptionHTML": "<p>Get Hypermedia links to resources accessible in GitHub's REST API</p>"
       },
       {
         "serverUrl": "http(s)://HOSTNAME/api/v3",
@@ -320129,13 +320129,13 @@
           }
         ],
         "previews": [],
-        "descriptionHTML": "<p>Get a random sentence from the Zen of GitHub</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ]
+        ],
+        "descriptionHTML": "<p>Get a random sentence from the Zen of GitHub</p>"
       }
     ]
   },
@@ -436791,13 +436791,13 @@
           }
         ],
         "previews": [],
-        "descriptionHTML": "<div class=\"ghd-alert ghd-alert-attention\" data-container=\"alert\"><p class=\"ghd-alert-title\"><svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon mr-2\" aria-hidden><path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\"></path></svg>Warning</p>\n<p>\n<strong>Endpoint closing down notice:</strong> This endpoint route is closing down and will be removed from the Teams API. We recommend migrating your existing code to use the new <a href=\"https://docs.github.com/enterprise-server@3.14/rest/reactions/reactions#list-reactions-for-a-team-discussion-comment\"><code>List reactions for a team discussion comment</code></a> endpoint.</p>\n</div>\n<p>List the reactions to a <a href=\"https://docs.github.com/enterprise-server@3.14/rest/teams/discussion-comments#get-a-discussion-comment\">team discussion comment</a>.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>read:discussion</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ]
+        ],
+        "descriptionHTML": "<div class=\"ghd-alert ghd-alert-attention\" data-container=\"alert\"><p class=\"ghd-alert-title\"><svg version=\"1.1\" width=\"16\" height=\"16\" viewBox=\"0 0 16 16\" class=\"octicon mr-2\" aria-hidden><path d=\"M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\"></path></svg>Warning</p>\n<p>\n<strong>Endpoint closing down notice:</strong> This endpoint route is closing down and will be removed from the Teams API. We recommend migrating your existing code to use the new <a href=\"https://docs.github.com/enterprise-server@3.14/rest/reactions/reactions#list-reactions-for-a-team-discussion-comment\"><code>List reactions for a team discussion comment</code></a> endpoint.</p>\n</div>\n<p>List the reactions to a <a href=\"https://docs.github.com/enterprise-server@3.14/rest/teams/discussion-comments#get-a-discussion-comment\">team discussion comment</a>.</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>read:discussion</code> scope to use this endpoint.</p>"
       },
       {
         "serverUrl": "http(s)://HOSTNAME/api/v3",
@@ -442689,13 +442689,13 @@
           }
         ],
         "previews": [],
-        "descriptionHTML": "<p>Users with push access to the repository can edit a release.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ]
+        ],
+        "descriptionHTML": "<p>Users with push access to the repository can edit a release.</p>"
       },
       {
         "serverUrl": "http(s)://HOSTNAME/api/v3",
@@ -463176,13 +463176,13 @@
           }
         ],
         "previews": [],
-        "descriptionHTML": "<p>Enables dependency alerts and the dependency graph for a repository. The authenticated user must have admin access to the repository. For more information, see \"<a href=\"https://docs.github.com/enterprise-server@3.14/articles/about-security-alerts-for-vulnerable-dependencies\">About security alerts for vulnerable dependencies</a>\".</p>",
         "statusCodes": [
           {
             "httpStatusCode": "204",
             "description": "<p>No Content</p>"
           }
-        ]
+        ],
+        "descriptionHTML": "<p>Enables dependency alerts and the dependency graph for a repository. The authenticated user must have admin access to the repository. For more information, see \"<a href=\"https://docs.github.com/enterprise-server@3.14/articles/about-security-alerts-for-vulnerable-dependencies\">About security alerts for vulnerable dependencies</a>\".</p>"
       },
       {
         "serverUrl": "http(s)://HOSTNAME/api/v3",
@@ -496421,13 +496421,13 @@
           }
         ],
         "previews": [],
-        "descriptionHTML": "<p>Updates the webhook configuration for a repository. To update more information about the webhook, including the <code>active</code> state and <code>events</code>, use \"<a href=\"/rest/webhooks/repos#update-a-repository-webhook\">Update a repository webhook</a>.\"</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>write:repo_hook</code> or <code>repo</code> scope to use this endpoint.</p>",
         "statusCodes": [
           {
             "httpStatusCode": "200",
             "description": "<p>OK</p>"
           }
-        ]
+        ],
+        "descriptionHTML": "<p>Updates the webhook configuration for a repository. To update more information about the webhook, including the <code>active</code> state and <code>events</code>, use \"<a href=\"/rest/webhooks/repos#update-a-repository-webhook\">Update a repository webhook</a>.\"</p>\n<p>OAuth app tokens and personal access tokens (classic) need the <code>write:repo_hook</code> or <code>repo</code> scope to use this endpoint.</p>"
       },
       {
         "serverUrl": "http(s)://HOSTNAME/api/v3",

From d5f039969aea81c4a67933fbd3754c077b87a080 Mon Sep 17 00:00:00 2001
From: docs-bot <77750099+docs-bot@users.noreply.github.com>
Date: Fri, 26 Sep 2025 13:07:07 -0700
Subject: [PATCH 4/4] Update audit log event data (#57718)

Co-authored-by: Felicity Chapman <felicitymay@github.com>
---
 src/audit-logs/data/fpt/organization.json     |   727 +-
 src/audit-logs/data/fpt/user.json             |   481 +
 src/audit-logs/data/ghec/enterprise.json      |   693 +-
 src/audit-logs/data/ghec/organization.json    |   727 +-
 src/audit-logs/data/ghec/user.json            |   481 +
 src/audit-logs/data/ghes-3.14/enterprise.json |   112 +-
 .../data/ghes-3.14/organization.json          |    51 +-
 src/audit-logs/data/ghes-3.15/enterprise.json |   208 +-
 .../data/ghes-3.15/organization.json          |   147 +-
 src/audit-logs/data/ghes-3.15/user.json       |    96 +
 src/audit-logs/data/ghes-3.16/enterprise.json |   848 +-
 .../data/ghes-3.16/organization.json          |   147 +-
 src/audit-logs/data/ghes-3.16/user.json       |    96 +
 src/audit-logs/data/ghes-3.17/enterprise.json |   848 +-
 .../data/ghes-3.17/organization.json          |   147 +-
 src/audit-logs/data/ghes-3.17/user.json       |    96 +
 src/audit-logs/data/ghes-3.18/enterprise.json |   848 +-
 .../data/ghes-3.18/organization.json          |   147 +-
 src/audit-logs/data/ghes-3.18/user.json       |    96 +
 src/audit-logs/data/ghes-3.19/enterprise.json | 18852 ++++++++++++++++
 .../data/ghes-3.19/organization.json          | 17575 ++++++++++++++
 src/audit-logs/data/ghes-3.19/user.json       |  9055 ++++++++
 src/audit-logs/lib/config.json                |     2 +-
 23 files changed, 51445 insertions(+), 1035 deletions(-)
 create mode 100644 src/audit-logs/data/ghes-3.19/enterprise.json
 create mode 100644 src/audit-logs/data/ghes-3.19/organization.json
 create mode 100644 src/audit-logs/data/ghes-3.19/user.json

diff --git a/src/audit-logs/data/fpt/organization.json b/src/audit-logs/data/fpt/organization.json
index f88dd26bd6b5..21e7f1ad0f2d 100644
--- a/src/audit-logs/data/fpt/organization.json
+++ b/src/audit-logs/data/fpt/organization.json
@@ -220,6 +220,88 @@
     ],
     "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization"
   },
+  {
+    "action": "billing.budget_create",
+    "description": "A billing budget was created for a business or organization. Includes details about the budget limit, alerting preferences, and recipients.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "pricing_target_type",
+      "pricing_target_id",
+      "budget_limit_type",
+      "alert_recipient_user_ids"
+    ]
+  },
+  {
+    "action": "billing.budget_delete",
+    "description": "A billing budget was deleted for a business or organization. Includes details about the removed budget and any alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "uuid",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "billing.budget_update",
+    "description": "A billing budget was updated for a business or organization. Includes details about the updated limit and alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header",
+      "old_target_amount",
+      "old_budget_limit_type",
+      "old_alert_enabled",
+      "old_target_id"
+    ]
+  },
   {
     "action": "billing.change_billing_type",
     "description": "The way the account pays for GitHub was changed.",
@@ -260,6 +342,42 @@
     ],
     "docs_reference_titles": "Managing your payment and billing information"
   },
+  {
+    "action": "billing_customer.azure_subscription_linked",
+    "description": "Azure subscription has been linked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "billing_customer.azure_subscription_unlinked",
+    "description": "Azure subscription has been unlinked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "billing.lock",
     "description": "N/A",
@@ -1295,6 +1413,27 @@
       "scheduled_plan"
     ]
   },
+  {
+    "action": "copilot.swe_agent_mcp_config_updated",
+    "description": "MCP Configuration for Copilot coding agent was updated for a specific repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "new_config",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "copilot.swe_agent_repo_disabled",
     "description": "Specific repositories were disabled from using Copilot coding agent.",
@@ -2418,7 +2557,7 @@
   },
   {
     "action": "git.clone",
-    "description": "A repository was cloned.",
+    "description": "A repository was cloned. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -2439,7 +2578,7 @@
   },
   {
     "action": "git.fetch",
-    "description": "Changes were fetched from a repository.",
+    "description": "Changes were fetched from a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "action",
@@ -2461,7 +2600,7 @@
   },
   {
     "action": "git.push",
-    "description": "Changes were pushed to a repository.",
+    "description": "Changes were pushed to a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -3342,6 +3481,100 @@
       "programmatic_access_type"
     ]
   },
+  {
+    "action": "issue_dependencies.blocked_by_add",
+    "description": "An issue was marked as blocked by another issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocked_by_remove",
+    "description": "The blocked by relationship between an issue and another issue was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "org",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocking_add",
+    "description": "An issue was marked as blocking another issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocking_remove",
+    "description": "The blocking relationship between an issue and another issue was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "issue.destroy",
     "description": "An issue was deleted from the repository.",
@@ -5052,6 +5285,32 @@
       "request_access_security_header"
     ]
   },
+  {
+    "action": "org.code_security_metered_usage_lock",
+    "description": "Enablement for Code Security features on new repositories has been locked for this organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.code_security_metered_usage_unlock",
+    "description": "Enablement for Code Security features on new repositories has been unlocked for this organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "org.codeql_disabled",
     "description": "Code scanning using the default setup was disabled for an organization.",
@@ -6083,7 +6342,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -6146,7 +6406,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -6842,6 +7103,32 @@
     ],
     "docs_reference_titles": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization"
   },
+  {
+    "action": "org.secret_protection_metered_usage_lock",
+    "description": "Enablement for Secret Protection features on new repositories has been locked for this organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.secret_protection_metered_usage_unlock",
+    "description": "Enablement for Secret Protection features on new repositories has been unlocked for this organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "org_secret_scanning_automatic_validity_checks.disabled",
     "description": "Automatic partner validation checks have been disabled at the organization level",
@@ -7383,49 +7670,36 @@
   },
   {
     "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
-    "description": "The push protection setting was changed for a secret type for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "description": "The push protection setting was updated for a secret type for your organization.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
     "fields": [
-      "actor",
       "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
+      "actor",
       "org_id",
+      "org",
       "business",
       "business_id",
-      "action",
-      "_document_id",
-      "@timestamp",
-      "created_at",
+      "push_protection_setting",
       "secret_type",
       "secret_type_display_name",
-      "push_protection_setting"
+      "created_at"
     ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+    "docs_reference_titles": "About push protection"
   },
   {
     "action": "org_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "description": "The push protection pattern configuration was updated for your organization.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
     "fields": [
-      "actor",
       "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
+      "actor",
       "org_id",
+      "org",
       "business",
       "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
+      "created_at"
     ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+    "docs_reference_titles": "About push protection"
   },
   {
     "action": "org.security_center_export_code_scanning_metrics",
@@ -7587,6 +7861,29 @@
     ],
     "docs_reference_titles": "Self-hosted runners"
   },
+  {
+    "action": "org.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization"
+  },
   {
     "action": "org.set_actions_fork_pr_approvals_policy",
     "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.",
@@ -7925,6 +8222,28 @@
       "programmatic_access_type"
     ]
   },
+  {
+    "action": "org.update_immutable_releases_settings_policy",
+    "description": "The settings policy for immutable releases was updated for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "old_policy",
+      "new_policy",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "org.update_integration_secret",
     "description": "A Codespaces or Dependabot secret was updated for an organization.",
@@ -8087,9 +8406,61 @@
       "action",
       "@timestamp",
       "created_at",
-      "request_access_security_header"
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement"
+  },
+  {
+    "action": "organization_custom_property_value.create",
+    "description": "An organization's custom property value was manually set for the first time.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "value",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
+  },
+  {
+    "action": "organization_custom_property_value.destroy",
+    "description": "An organization's custom property value was deleted.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "value",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
     ],
-    "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement"
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
   },
   {
     "action": "organization_default_label.create",
@@ -11729,6 +12100,56 @@
     ],
     "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives"
   },
+  {
+    "action": "repo.immutable_releases_settings_disabled",
+    "description": "The setting for immutable releases was disabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repo.immutable_releases_settings_enabled",
+    "description": "The setting for immutable releases was enabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "repo.pages_cname",
     "description": "A GitHub Pages custom domain was modified in a repository.",
@@ -12245,6 +12666,60 @@
     ],
     "docs_reference_titles": "Self-hosted runners"
   },
+  {
+    "action": "repo.set_actions_cache_retention_policy",
+    "description": "The cache retention policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
+  {
+    "action": "repo.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
   {
     "action": "repo.set_actions_fork_pr_approvals_policy",
     "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.",
@@ -15918,6 +16393,102 @@
       "_document_id"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "team.add_member",
     "description": "A member of an organization was added to a team.",
@@ -15937,7 +16508,8 @@
       "org",
       "action",
       "actor",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team"
   },
@@ -15965,6 +16537,30 @@
       "actor_is_bot"
     ]
   },
+  {
+    "action": "team.add_to_organization",
+    "description": "A team was added to an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "team_type",
+      "team",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "team.change_parent_team",
     "description": "A child team was created or a child team's parent was changed.",
@@ -16003,7 +16599,8 @@
       "org_id",
       "@timestamp",
       "actor",
-      "_document_id"
+      "_document_id",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility"
   },
@@ -16026,7 +16623,8 @@
       "created_at",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -16069,7 +16667,8 @@
       "request_id",
       "operation_type",
       "_document_id",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -16220,6 +16819,30 @@
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer"
   },
+  {
+    "action": "team.remove_from_organization",
+    "description": "A team was removed from an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "team_type",
+      "team",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "team.remove_member",
     "description": "An organization member was removed from a team.",
@@ -16240,7 +16863,8 @@
       "user_agent",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team"
   },
@@ -16285,7 +16909,8 @@
       "@timestamp",
       "_document_id",
       "programmatic_access_type",
-      "request_access_security_header"
+      "request_access_security_header",
+      "team_type"
     ]
   },
   {
@@ -16377,6 +17002,30 @@
       "programmatic_access_type"
     ]
   },
+  {
+    "action": "user_content_edit.delete",
+    "description": "Triggered when a user content edit is deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor",
+      "user_content_id",
+      "user_content_type",
+      "created_at",
+      "user_agent",
+      "deleted_by",
+      "editor_id",
+      "_document_id",
+      "deleted_at",
+      "action",
+      "actor_id",
+      "editor",
+      "deleted_by_id",
+      "deleted_content",
+      "operation_type",
+      "@timestamp"
+    ]
+  },
   {
     "action": "vulnerability_alert_rule.create",
     "description": "A Dependabot rule was created.",
diff --git a/src/audit-logs/data/fpt/user.json b/src/audit-logs/data/fpt/user.json
index f344231a33b8..8448a7a0dbf8 100644
--- a/src/audit-logs/data/fpt/user.json
+++ b/src/audit-logs/data/fpt/user.json
@@ -143,6 +143,88 @@
       "programmatic_access_type"
     ]
   },
+  {
+    "action": "billing.budget_create",
+    "description": "A billing budget was created for a business or organization. Includes details about the budget limit, alerting preferences, and recipients.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "pricing_target_type",
+      "pricing_target_id",
+      "budget_limit_type",
+      "alert_recipient_user_ids"
+    ]
+  },
+  {
+    "action": "billing.budget_delete",
+    "description": "A billing budget was deleted for a business or organization. Includes details about the removed budget and any alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "uuid",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "billing.budget_update",
+    "description": "A billing budget was updated for a business or organization. Includes details about the updated limit and alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header",
+      "old_target_amount",
+      "old_budget_limit_type",
+      "old_alert_enabled",
+      "old_target_id"
+    ]
+  },
   {
     "action": "billing.change_billing_type",
     "description": "The way the account pays for GitHub was changed.",
@@ -183,6 +265,42 @@
     ],
     "docs_reference_titles": "Managing your payment and billing information"
   },
+  {
+    "action": "billing_customer.azure_subscription_linked",
+    "description": "Azure subscription has been linked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "billing_customer.azure_subscription_unlinked",
+    "description": "Azure subscription has been unlinked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "billing.lock",
     "description": "N/A",
@@ -342,6 +460,50 @@
       "actor_is_bot"
     ]
   },
+  {
+    "action": "business.set_actions_cache_retention_policy",
+    "description": "The cache retention policy for GitHub Actions was set for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
   {
     "action": "business.set_actions_fork_pr_approvals_policy",
     "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.",
@@ -2345,6 +2507,100 @@
     ],
     "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation"
   },
+  {
+    "action": "issue_dependencies.blocked_by_add",
+    "description": "An issue was marked as blocked by another issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocked_by_remove",
+    "description": "The blocked by relationship between an issue and another issue was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "org",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocking_add",
+    "description": "An issue was marked as blocking another issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocking_remove",
+    "description": "The blocking relationship between an issue and another issue was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "marketplace_agreement_signature.create",
     "description": "The GitHub Marketplace Developer Agreement was signed.",
@@ -3375,6 +3631,29 @@
       "request_access_security_header"
     ]
   },
+  {
+    "action": "org.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization"
+  },
   {
     "action": "org.set_actions_fork_pr_approvals_policy",
     "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.",
@@ -5659,6 +5938,60 @@
       "user_id"
     ]
   },
+  {
+    "action": "repo.set_actions_cache_retention_policy",
+    "description": "The cache retention policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
+  {
+    "action": "repo.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
   {
     "action": "repo.set_actions_fork_pr_approvals_policy",
     "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.",
@@ -6401,6 +6734,58 @@
       "request_access_security_header"
     ]
   },
+  {
+    "action": "social_identity.linked",
+    "description": "A user linked a social identity to their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user_id",
+      "action",
+      "actor_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "social_identity.unlinked",
+    "description": "A user unlinked a social identity from their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "social_identity.unlinked_all",
+    "description": "A user unlinked all social identities from their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "sponsors.agreement_sign",
     "description": "A GitHub Sponsors agreement was signed on behalf of an organization.",
@@ -6839,6 +7224,102 @@
       "operation_type"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "successor_invitation.accept",
     "description": "Triggered when you accept a succession invitation.",
diff --git a/src/audit-logs/data/ghec/enterprise.json b/src/audit-logs/data/ghec/enterprise.json
index aae8bba4971f..f8bf482d7fe3 100644
--- a/src/audit-logs/data/ghec/enterprise.json
+++ b/src/audit-logs/data/ghec/enterprise.json
@@ -352,6 +352,88 @@
     ],
     "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization"
   },
+  {
+    "action": "billing.budget_create",
+    "description": "A billing budget was created for a business or organization. Includes details about the budget limit, alerting preferences, and recipients.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "pricing_target_type",
+      "pricing_target_id",
+      "budget_limit_type",
+      "alert_recipient_user_ids"
+    ]
+  },
+  {
+    "action": "billing.budget_delete",
+    "description": "A billing budget was deleted for a business or organization. Includes details about the removed budget and any alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "uuid",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "billing.budget_update",
+    "description": "A billing budget was updated for a business or organization. Includes details about the updated limit and alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header",
+      "old_target_amount",
+      "old_budget_limit_type",
+      "old_alert_enabled",
+      "old_target_id"
+    ]
+  },
   {
     "action": "billing.change_billing_type",
     "description": "The way the account pays for GitHub was changed.",
@@ -392,6 +474,42 @@
     ],
     "docs_reference_titles": "Managing your payment and billing information"
   },
+  {
+    "action": "billing_customer.azure_subscription_linked",
+    "description": "Azure subscription has been linked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "billing_customer.azure_subscription_unlinked",
+    "description": "Azure subscription has been unlinked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "billing.lock",
     "description": "N/A",
@@ -693,6 +811,25 @@
     ],
     "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
   },
+  {
+    "action": "business.advanced_security_metered_usage_lock",
+    "description": "Enablement for Advanced Security features on new repositories has been locked for this enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "business.advanced_security_metered_usage_unlock",
     "description": "Enablement for Advanced Security features on new repositories has been unlocked for this enterprise.",
@@ -1096,6 +1233,25 @@
       "actor_is_bot"
     ]
   },
+  {
+    "action": "business.code_security_metered_usage_unlock",
+    "description": "Enablement for Code Security features on new repositories has been unlocked for this enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "business.connect_usage_metrics_export",
     "description": "Server statistics were exported for the enterprise.",
@@ -2088,6 +2244,44 @@
       "business"
     ]
   },
+  {
+    "action": "business.secret_protection_metered_usage_lock",
+    "description": "Enablement for Secret Protection features on new repositories has been locked for this enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "business.secret_protection_metered_usage_unlock",
+    "description": "Enablement for Secret Protection features on new repositories has been unlocked for this enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "business_secret_scanning_automatic_validity_checks.disabled",
     "description": "Automatic partner validation checks have been disabled at the business level",
@@ -2576,24 +2770,17 @@
   },
   {
     "action": "business_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
-    "description": "The push protection setting was changed for a secret type for your enterprise.",
+    "description": "The push protection setting was updated for a secret type for your enterprise.",
     "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
     "fields": [
-      "actor",
       "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
+      "actor",
       "business",
       "business_id",
-      "action",
-      "_document_id",
-      "@timestamp",
-      "created_at",
+      "push_protection_setting",
       "secret_type",
       "secret_type_display_name",
-      "push_protection_setting"
+      "created_at"
     ],
     "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
   },
@@ -2602,17 +2789,11 @@
     "description": "The push protection pattern configuration was updated for your enterprise.",
     "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
     "fields": [
-      "actor",
       "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
+      "actor",
       "business",
       "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
+      "created_at"
     ],
     "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
   },
@@ -2740,6 +2921,50 @@
       "actor_is_bot"
     ]
   },
+  {
+    "action": "business.set_actions_cache_retention_policy",
+    "description": "The cache retention policy for GitHub Actions was set for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
   {
     "action": "business.set_actions_fork_pr_approvals_policy",
     "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.",
@@ -6074,7 +6299,7 @@
   },
   {
     "action": "git.clone",
-    "description": "A repository was cloned.",
+    "description": "A repository was cloned. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -6095,7 +6320,7 @@
   },
   {
     "action": "git.fetch",
-    "description": "Changes were fetched from a repository.",
+    "description": "Changes were fetched from a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "action",
@@ -6117,7 +6342,7 @@
   },
   {
     "action": "git.push",
-    "description": "Changes were pushed to a repository.",
+    "description": "Changes were pushed to a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -9584,7 +9809,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -9647,7 +9873,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -10819,49 +11046,36 @@
   },
   {
     "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
-    "description": "The push protection setting was changed for a secret type for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "description": "The push protection setting was updated for a secret type for your organization.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
     "fields": [
-      "actor",
       "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
+      "actor",
       "org_id",
+      "org",
       "business",
       "business_id",
-      "action",
-      "_document_id",
-      "@timestamp",
-      "created_at",
+      "push_protection_setting",
       "secret_type",
       "secret_type_display_name",
-      "push_protection_setting"
+      "created_at"
     ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+    "docs_reference_titles": "About push protection"
   },
   {
     "action": "org_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "description": "The push protection pattern configuration was updated for your organization.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
     "fields": [
-      "actor",
       "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
+      "actor",
       "org_id",
+      "org",
       "business",
       "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
+      "created_at"
     ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+    "docs_reference_titles": "About push protection"
   },
   {
     "action": "org.self_hosted_runner_offline",
@@ -10913,9 +11127,32 @@
     "docs_reference_titles": "Self-hosted runners"
   },
   {
-    "action": "org.set_actions_fork_pr_approvals_policy",
-    "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.",
-    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks",
+    "action": "org.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization"
+  },
+  {
+    "action": "org.set_actions_fork_pr_approvals_policy",
+    "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks",
     "fields": [
       "user_agent",
       "request_id",
@@ -11232,6 +11469,28 @@
       "programmatic_access_type"
     ]
   },
+  {
+    "action": "org.update_immutable_releases_settings_policy",
+    "description": "The settings policy for immutable releases was updated for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "old_policy",
+      "new_policy",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "org.update_integration_secret",
     "description": "A Codespaces or Dependabot secret was updated for an organization.",
@@ -11378,6 +11637,140 @@
     ],
     "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement"
   },
+  {
+    "action": "organization_custom_property_definition.create",
+    "description": "A new organization custom property definition was created.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "description",
+      "value_type",
+      "required",
+      "allowed_values",
+      "default_value",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
+  },
+  {
+    "action": "organization_custom_property_definition.destroy",
+    "description": "An organization custom property definition was deleted.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "description",
+      "value_type",
+      "required",
+      "allowed_values",
+      "default_value",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
+  },
+  {
+    "action": "organization_custom_property_definition.update",
+    "description": "An organization custom property definition was updated.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "old_values_editable_by",
+      "values_editable_by",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "old_allowed_values"
+    ],
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
+  },
+  {
+    "action": "organization_custom_property_value.create",
+    "description": "An organization's custom property value was manually set for the first time.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "value",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
+  },
+  {
+    "action": "organization_custom_property_value.destroy",
+    "description": "An organization's custom property value was deleted.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "value",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
+  },
   {
     "action": "organization_default_label.create",
     "description": "A default label was created for repositories in an organization.",
@@ -15014,6 +15407,56 @@
     ],
     "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives"
   },
+  {
+    "action": "repo.immutable_releases_settings_disabled",
+    "description": "The setting for immutable releases was disabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repo.immutable_releases_settings_enabled",
+    "description": "The setting for immutable releases was enabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "repo.pages_cname",
     "description": "A GitHub Pages custom domain was modified in a repository.",
@@ -15530,6 +15973,60 @@
     ],
     "docs_reference_titles": "Self-hosted runners"
   },
+  {
+    "action": "repo.set_actions_cache_retention_policy",
+    "description": "The cache retention policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
+  {
+    "action": "repo.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
   {
     "action": "repo.set_actions_fork_pr_approvals_policy",
     "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.",
@@ -19202,7 +19699,8 @@
       "org",
       "action",
       "actor",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team"
   },
@@ -19230,6 +19728,30 @@
       "actor_is_bot"
     ]
   },
+  {
+    "action": "team.add_to_organization",
+    "description": "A team was added to an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "team_type",
+      "team",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "team.change_parent_team",
     "description": "A child team was created or a child team's parent was changed.",
@@ -19268,7 +19790,8 @@
       "org_id",
       "@timestamp",
       "actor",
-      "_document_id"
+      "_document_id",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility"
   },
@@ -19291,7 +19814,8 @@
       "created_at",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -19334,7 +19858,8 @@
       "request_id",
       "operation_type",
       "_document_id",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -19422,6 +19947,30 @@
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer"
   },
+  {
+    "action": "team.remove_from_organization",
+    "description": "A team was removed from an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "team_type",
+      "team",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "team.remove_member",
     "description": "An organization member was removed from a team.",
@@ -19442,7 +19991,8 @@
       "user_agent",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team"
   },
@@ -19487,7 +20037,8 @@
       "@timestamp",
       "_document_id",
       "programmatic_access_type",
-      "request_access_security_header"
+      "request_access_security_header",
+      "team_type"
     ]
   },
   {
@@ -19579,6 +20130,30 @@
       "programmatic_access_type"
     ]
   },
+  {
+    "action": "user_content_edit.delete",
+    "description": "Triggered when a user content edit is deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor",
+      "user_content_id",
+      "user_content_type",
+      "created_at",
+      "user_agent",
+      "deleted_by",
+      "editor_id",
+      "_document_id",
+      "deleted_at",
+      "action",
+      "actor_id",
+      "editor",
+      "deleted_by_id",
+      "deleted_content",
+      "operation_type",
+      "@timestamp"
+    ]
+  },
   {
     "action": "user_email.confirm_claim",
     "description": "An enterprise managed user claimed an email address.",
diff --git a/src/audit-logs/data/ghec/organization.json b/src/audit-logs/data/ghec/organization.json
index f88dd26bd6b5..21e7f1ad0f2d 100644
--- a/src/audit-logs/data/ghec/organization.json
+++ b/src/audit-logs/data/ghec/organization.json
@@ -220,6 +220,88 @@
     ],
     "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization"
   },
+  {
+    "action": "billing.budget_create",
+    "description": "A billing budget was created for a business or organization. Includes details about the budget limit, alerting preferences, and recipients.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "pricing_target_type",
+      "pricing_target_id",
+      "budget_limit_type",
+      "alert_recipient_user_ids"
+    ]
+  },
+  {
+    "action": "billing.budget_delete",
+    "description": "A billing budget was deleted for a business or organization. Includes details about the removed budget and any alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "uuid",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "billing.budget_update",
+    "description": "A billing budget was updated for a business or organization. Includes details about the updated limit and alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header",
+      "old_target_amount",
+      "old_budget_limit_type",
+      "old_alert_enabled",
+      "old_target_id"
+    ]
+  },
   {
     "action": "billing.change_billing_type",
     "description": "The way the account pays for GitHub was changed.",
@@ -260,6 +342,42 @@
     ],
     "docs_reference_titles": "Managing your payment and billing information"
   },
+  {
+    "action": "billing_customer.azure_subscription_linked",
+    "description": "Azure subscription has been linked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "billing_customer.azure_subscription_unlinked",
+    "description": "Azure subscription has been unlinked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "billing.lock",
     "description": "N/A",
@@ -1295,6 +1413,27 @@
       "scheduled_plan"
     ]
   },
+  {
+    "action": "copilot.swe_agent_mcp_config_updated",
+    "description": "MCP Configuration for Copilot coding agent was updated for a specific repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "new_config",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "copilot.swe_agent_repo_disabled",
     "description": "Specific repositories were disabled from using Copilot coding agent.",
@@ -2418,7 +2557,7 @@
   },
   {
     "action": "git.clone",
-    "description": "A repository was cloned.",
+    "description": "A repository was cloned. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -2439,7 +2578,7 @@
   },
   {
     "action": "git.fetch",
-    "description": "Changes were fetched from a repository.",
+    "description": "Changes were fetched from a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "action",
@@ -2461,7 +2600,7 @@
   },
   {
     "action": "git.push",
-    "description": "Changes were pushed to a repository.",
+    "description": "Changes were pushed to a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -3342,6 +3481,100 @@
       "programmatic_access_type"
     ]
   },
+  {
+    "action": "issue_dependencies.blocked_by_add",
+    "description": "An issue was marked as blocked by another issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocked_by_remove",
+    "description": "The blocked by relationship between an issue and another issue was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "org",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocking_add",
+    "description": "An issue was marked as blocking another issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocking_remove",
+    "description": "The blocking relationship between an issue and another issue was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "issue.destroy",
     "description": "An issue was deleted from the repository.",
@@ -5052,6 +5285,32 @@
       "request_access_security_header"
     ]
   },
+  {
+    "action": "org.code_security_metered_usage_lock",
+    "description": "Enablement for Code Security features on new repositories has been locked for this organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.code_security_metered_usage_unlock",
+    "description": "Enablement for Code Security features on new repositories has been unlocked for this organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "org.codeql_disabled",
     "description": "Code scanning using the default setup was disabled for an organization.",
@@ -6083,7 +6342,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -6146,7 +6406,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -6842,6 +7103,32 @@
     ],
     "docs_reference_titles": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization"
   },
+  {
+    "action": "org.secret_protection_metered_usage_lock",
+    "description": "Enablement for Secret Protection features on new repositories has been locked for this organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.secret_protection_metered_usage_unlock",
+    "description": "Enablement for Secret Protection features on new repositories has been unlocked for this organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "org_secret_scanning_automatic_validity_checks.disabled",
     "description": "Automatic partner validation checks have been disabled at the organization level",
@@ -7383,49 +7670,36 @@
   },
   {
     "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
-    "description": "The push protection setting was changed for a secret type for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "description": "The push protection setting was updated for a secret type for your organization.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
     "fields": [
-      "actor",
       "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
+      "actor",
       "org_id",
+      "org",
       "business",
       "business_id",
-      "action",
-      "_document_id",
-      "@timestamp",
-      "created_at",
+      "push_protection_setting",
       "secret_type",
       "secret_type_display_name",
-      "push_protection_setting"
+      "created_at"
     ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+    "docs_reference_titles": "About push protection"
   },
   {
     "action": "org_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "description": "The push protection pattern configuration was updated for your organization.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
     "fields": [
-      "actor",
       "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
+      "actor",
       "org_id",
+      "org",
       "business",
       "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
+      "created_at"
     ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+    "docs_reference_titles": "About push protection"
   },
   {
     "action": "org.security_center_export_code_scanning_metrics",
@@ -7587,6 +7861,29 @@
     ],
     "docs_reference_titles": "Self-hosted runners"
   },
+  {
+    "action": "org.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization"
+  },
   {
     "action": "org.set_actions_fork_pr_approvals_policy",
     "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.",
@@ -7925,6 +8222,28 @@
       "programmatic_access_type"
     ]
   },
+  {
+    "action": "org.update_immutable_releases_settings_policy",
+    "description": "The settings policy for immutable releases was updated for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "old_policy",
+      "new_policy",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "org.update_integration_secret",
     "description": "A Codespaces or Dependabot secret was updated for an organization.",
@@ -8087,9 +8406,61 @@
       "action",
       "@timestamp",
       "created_at",
-      "request_access_security_header"
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement"
+  },
+  {
+    "action": "organization_custom_property_value.create",
+    "description": "An organization's custom property value was manually set for the first time.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "value",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
+  },
+  {
+    "action": "organization_custom_property_value.destroy",
+    "description": "An organization's custom property value was deleted.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "value",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
     ],
-    "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement"
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
   },
   {
     "action": "organization_default_label.create",
@@ -11729,6 +12100,56 @@
     ],
     "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives"
   },
+  {
+    "action": "repo.immutable_releases_settings_disabled",
+    "description": "The setting for immutable releases was disabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repo.immutable_releases_settings_enabled",
+    "description": "The setting for immutable releases was enabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "repo.pages_cname",
     "description": "A GitHub Pages custom domain was modified in a repository.",
@@ -12245,6 +12666,60 @@
     ],
     "docs_reference_titles": "Self-hosted runners"
   },
+  {
+    "action": "repo.set_actions_cache_retention_policy",
+    "description": "The cache retention policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
+  {
+    "action": "repo.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
   {
     "action": "repo.set_actions_fork_pr_approvals_policy",
     "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.",
@@ -15918,6 +16393,102 @@
       "_document_id"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "team.add_member",
     "description": "A member of an organization was added to a team.",
@@ -15937,7 +16508,8 @@
       "org",
       "action",
       "actor",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team"
   },
@@ -15965,6 +16537,30 @@
       "actor_is_bot"
     ]
   },
+  {
+    "action": "team.add_to_organization",
+    "description": "A team was added to an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "team_type",
+      "team",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "team.change_parent_team",
     "description": "A child team was created or a child team's parent was changed.",
@@ -16003,7 +16599,8 @@
       "org_id",
       "@timestamp",
       "actor",
-      "_document_id"
+      "_document_id",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility"
   },
@@ -16026,7 +16623,8 @@
       "created_at",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -16069,7 +16667,8 @@
       "request_id",
       "operation_type",
       "_document_id",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -16220,6 +16819,30 @@
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer"
   },
+  {
+    "action": "team.remove_from_organization",
+    "description": "A team was removed from an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "team_type",
+      "team",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "team.remove_member",
     "description": "An organization member was removed from a team.",
@@ -16240,7 +16863,8 @@
       "user_agent",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team"
   },
@@ -16285,7 +16909,8 @@
       "@timestamp",
       "_document_id",
       "programmatic_access_type",
-      "request_access_security_header"
+      "request_access_security_header",
+      "team_type"
     ]
   },
   {
@@ -16377,6 +17002,30 @@
       "programmatic_access_type"
     ]
   },
+  {
+    "action": "user_content_edit.delete",
+    "description": "Triggered when a user content edit is deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor",
+      "user_content_id",
+      "user_content_type",
+      "created_at",
+      "user_agent",
+      "deleted_by",
+      "editor_id",
+      "_document_id",
+      "deleted_at",
+      "action",
+      "actor_id",
+      "editor",
+      "deleted_by_id",
+      "deleted_content",
+      "operation_type",
+      "@timestamp"
+    ]
+  },
   {
     "action": "vulnerability_alert_rule.create",
     "description": "A Dependabot rule was created.",
diff --git a/src/audit-logs/data/ghec/user.json b/src/audit-logs/data/ghec/user.json
index f344231a33b8..8448a7a0dbf8 100644
--- a/src/audit-logs/data/ghec/user.json
+++ b/src/audit-logs/data/ghec/user.json
@@ -143,6 +143,88 @@
       "programmatic_access_type"
     ]
   },
+  {
+    "action": "billing.budget_create",
+    "description": "A billing budget was created for a business or organization. Includes details about the budget limit, alerting preferences, and recipients.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "pricing_target_type",
+      "pricing_target_id",
+      "budget_limit_type",
+      "alert_recipient_user_ids"
+    ]
+  },
+  {
+    "action": "billing.budget_delete",
+    "description": "A billing budget was deleted for a business or organization. Includes details about the removed budget and any alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "uuid",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "billing.budget_update",
+    "description": "A billing budget was updated for a business or organization. Includes details about the updated limit and alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header",
+      "old_target_amount",
+      "old_budget_limit_type",
+      "old_alert_enabled",
+      "old_target_id"
+    ]
+  },
   {
     "action": "billing.change_billing_type",
     "description": "The way the account pays for GitHub was changed.",
@@ -183,6 +265,42 @@
     ],
     "docs_reference_titles": "Managing your payment and billing information"
   },
+  {
+    "action": "billing_customer.azure_subscription_linked",
+    "description": "Azure subscription has been linked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "billing_customer.azure_subscription_unlinked",
+    "description": "Azure subscription has been unlinked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "billing.lock",
     "description": "N/A",
@@ -342,6 +460,50 @@
       "actor_is_bot"
     ]
   },
+  {
+    "action": "business.set_actions_cache_retention_policy",
+    "description": "The cache retention policy for GitHub Actions was set for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
   {
     "action": "business.set_actions_fork_pr_approvals_policy",
     "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.",
@@ -2345,6 +2507,100 @@
     ],
     "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation"
   },
+  {
+    "action": "issue_dependencies.blocked_by_add",
+    "description": "An issue was marked as blocked by another issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocked_by_remove",
+    "description": "The blocked by relationship between an issue and another issue was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "org",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocking_add",
+    "description": "An issue was marked as blocking another issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocking_remove",
+    "description": "The blocking relationship between an issue and another issue was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
   {
     "action": "marketplace_agreement_signature.create",
     "description": "The GitHub Marketplace Developer Agreement was signed.",
@@ -3375,6 +3631,29 @@
       "request_access_security_header"
     ]
   },
+  {
+    "action": "org.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization"
+  },
   {
     "action": "org.set_actions_fork_pr_approvals_policy",
     "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.",
@@ -5659,6 +5938,60 @@
       "user_id"
     ]
   },
+  {
+    "action": "repo.set_actions_cache_retention_policy",
+    "description": "The cache retention policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
+  {
+    "action": "repo.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
   {
     "action": "repo.set_actions_fork_pr_approvals_policy",
     "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.",
@@ -6401,6 +6734,58 @@
       "request_access_security_header"
     ]
   },
+  {
+    "action": "social_identity.linked",
+    "description": "A user linked a social identity to their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user_id",
+      "action",
+      "actor_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "social_identity.unlinked",
+    "description": "A user unlinked a social identity from their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "social_identity.unlinked_all",
+    "description": "A user unlinked all social identities from their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "sponsors.agreement_sign",
     "description": "A GitHub Sponsors agreement was signed on behalf of an organization.",
@@ -6839,6 +7224,102 @@
       "operation_type"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "successor_invitation.accept",
     "description": "Triggered when you accept a succession invitation.",
diff --git a/src/audit-logs/data/ghes-3.14/enterprise.json b/src/audit-logs/data/ghes-3.14/enterprise.json
index 83e7df922dbd..f323981054fa 100644
--- a/src/audit-logs/data/ghes-3.14/enterprise.json
+++ b/src/audit-logs/data/ghes-3.14/enterprise.json
@@ -1506,48 +1506,6 @@
     ],
     "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
   },
-  {
-    "action": "business_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
-    "description": "The push protection setting was changed for a secret type for your enterprise.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp",
-      "created_at",
-      "secret_type",
-      "secret_type_display_name",
-      "push_protection_setting"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
-  {
-    "action": "business_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your enterprise.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
   {
     "action": "business.secret_scanning_repo_admin_settings_policy_update",
     "description": "N/A",
@@ -4093,7 +4051,7 @@
   },
   {
     "action": "git.clone",
-    "description": "A repository was cloned.",
+    "description": "A repository was cloned. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -4114,7 +4072,7 @@
   },
   {
     "action": "git.fetch",
-    "description": "Changes were fetched from a repository.",
+    "description": "Changes were fetched from a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "action",
@@ -4136,7 +4094,7 @@
   },
   {
     "action": "git.push",
-    "description": "Changes were pushed to a repository.",
+    "description": "Changes were pushed to a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -7649,52 +7607,6 @@
     ],
     "docs_reference_titles": "About push protection"
   },
-  {
-    "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
-    "description": "The push protection setting was changed for a secret type for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
-      "org_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp",
-      "created_at",
-      "secret_type",
-      "secret_type_display_name",
-      "push_protection_setting"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
-  {
-    "action": "org_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
-      "org_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
   {
     "action": "org.self_hosted_runner_offline",
     "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
@@ -13886,7 +13798,8 @@
       "org",
       "action",
       "actor",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team"
   },
@@ -13952,7 +13865,8 @@
       "org_id",
       "@timestamp",
       "actor",
-      "_document_id"
+      "_document_id",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility"
   },
@@ -13975,7 +13889,8 @@
       "created_at",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -14018,7 +13933,8 @@
       "request_id",
       "operation_type",
       "_document_id",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -14126,7 +14042,8 @@
       "user_agent",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team"
   },
@@ -14171,7 +14088,8 @@
       "@timestamp",
       "_document_id",
       "programmatic_access_type",
-      "request_access_security_header"
+      "request_access_security_header",
+      "team_type"
     ]
   },
   {
diff --git a/src/audit-logs/data/ghes-3.14/organization.json b/src/audit-logs/data/ghes-3.14/organization.json
index d27bb8920bc6..b7d4e53ad822 100644
--- a/src/audit-logs/data/ghes-3.14/organization.json
+++ b/src/audit-logs/data/ghes-3.14/organization.json
@@ -2089,7 +2089,7 @@
   },
   {
     "action": "git.clone",
-    "description": "A repository was cloned.",
+    "description": "A repository was cloned. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -2110,7 +2110,7 @@
   },
   {
     "action": "git.fetch",
-    "description": "Changes were fetched from a repository.",
+    "description": "Changes were fetched from a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "action",
@@ -2132,7 +2132,7 @@
   },
   {
     "action": "git.push",
-    "description": "Changes were pushed to a repository.",
+    "description": "Changes were pushed to a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -5544,7 +5544,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -5607,7 +5608,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -6819,27 +6821,6 @@
     ],
     "docs_reference_titles": "About push protection"
   },
-  {
-    "action": "org_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
-      "org_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
   {
     "action": "org.self_hosted_runner_offline",
     "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
@@ -14179,7 +14160,8 @@
       "org",
       "action",
       "actor",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team"
   },
@@ -14245,7 +14227,8 @@
       "org_id",
       "@timestamp",
       "actor",
-      "_document_id"
+      "_document_id",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility"
   },
@@ -14268,7 +14251,8 @@
       "created_at",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -14311,7 +14295,8 @@
       "request_id",
       "operation_type",
       "_document_id",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -14482,7 +14467,8 @@
       "user_agent",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team"
   },
@@ -14527,7 +14513,8 @@
       "@timestamp",
       "_document_id",
       "programmatic_access_type",
-      "request_access_security_header"
+      "request_access_security_header",
+      "team_type"
     ]
   },
   {
diff --git a/src/audit-logs/data/ghes-3.15/enterprise.json b/src/audit-logs/data/ghes-3.15/enterprise.json
index 5cd39ba45899..45ea6733657b 100644
--- a/src/audit-logs/data/ghes-3.15/enterprise.json
+++ b/src/audit-logs/data/ghes-3.15/enterprise.json
@@ -1506,48 +1506,6 @@
     ],
     "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
   },
-  {
-    "action": "business_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
-    "description": "The push protection setting was changed for a secret type for your enterprise.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp",
-      "created_at",
-      "secret_type",
-      "secret_type_display_name",
-      "push_protection_setting"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
-  {
-    "action": "business_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your enterprise.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
   {
     "action": "business.secret_scanning_repo_admin_settings_policy_update",
     "description": "N/A",
@@ -4093,7 +4051,7 @@
   },
   {
     "action": "git.clone",
-    "description": "A repository was cloned.",
+    "description": "A repository was cloned. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -4114,7 +4072,7 @@
   },
   {
     "action": "git.fetch",
-    "description": "Changes were fetched from a repository.",
+    "description": "Changes were fetched from a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "action",
@@ -4136,7 +4094,7 @@
   },
   {
     "action": "git.push",
-    "description": "Changes were pushed to a repository.",
+    "description": "Changes were pushed to a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -7649,52 +7607,6 @@
     ],
     "docs_reference_titles": "About push protection"
   },
-  {
-    "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
-    "description": "The push protection setting was changed for a secret type for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
-      "org_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp",
-      "created_at",
-      "secret_type",
-      "secret_type_display_name",
-      "push_protection_setting"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
-  {
-    "action": "org_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
-      "org_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
   {
     "action": "org.security_center_export_coverage",
     "description": "A CSV export was requested on the Coverage page.",
@@ -13965,6 +13877,102 @@
       "_document_id"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "successor_invitation.accept",
     "description": "Triggered when you accept a succession invitation.",
@@ -14085,7 +14093,8 @@
       "org",
       "action",
       "actor",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team"
   },
@@ -14151,7 +14160,8 @@
       "org_id",
       "@timestamp",
       "actor",
-      "_document_id"
+      "_document_id",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility"
   },
@@ -14174,7 +14184,8 @@
       "created_at",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -14217,7 +14228,8 @@
       "request_id",
       "operation_type",
       "_document_id",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -14325,7 +14337,8 @@
       "user_agent",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team"
   },
@@ -14370,7 +14383,8 @@
       "@timestamp",
       "_document_id",
       "programmatic_access_type",
-      "request_access_security_header"
+      "request_access_security_header",
+      "team_type"
     ]
   },
   {
diff --git a/src/audit-logs/data/ghes-3.15/organization.json b/src/audit-logs/data/ghes-3.15/organization.json
index 4b36d8c64a99..e9efd7dcbe02 100644
--- a/src/audit-logs/data/ghes-3.15/organization.json
+++ b/src/audit-logs/data/ghes-3.15/organization.json
@@ -2096,7 +2096,7 @@
   },
   {
     "action": "git.clone",
-    "description": "A repository was cloned.",
+    "description": "A repository was cloned. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -2117,7 +2117,7 @@
   },
   {
     "action": "git.fetch",
-    "description": "Changes were fetched from a repository.",
+    "description": "Changes were fetched from a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "action",
@@ -2139,7 +2139,7 @@
   },
   {
     "action": "git.push",
-    "description": "Changes were pushed to a repository.",
+    "description": "Changes were pushed to a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -5570,7 +5570,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -5633,7 +5634,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -6845,27 +6847,6 @@
     ],
     "docs_reference_titles": "About push protection"
   },
-  {
-    "action": "org_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
-      "org_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
   {
     "action": "org.security_center_export_coverage",
     "description": "A CSV export was requested on the Coverage page.",
@@ -14716,6 +14697,102 @@
       "_document_id"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "team.add_member",
     "description": "A member of an organization was added to a team.",
@@ -14735,7 +14812,8 @@
       "org",
       "action",
       "actor",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team"
   },
@@ -14801,7 +14879,8 @@
       "org_id",
       "@timestamp",
       "actor",
-      "_document_id"
+      "_document_id",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility"
   },
@@ -14824,7 +14903,8 @@
       "created_at",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -14867,7 +14947,8 @@
       "request_id",
       "operation_type",
       "_document_id",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -15038,7 +15119,8 @@
       "user_agent",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team"
   },
@@ -15083,7 +15165,8 @@
       "@timestamp",
       "_document_id",
       "programmatic_access_type",
-      "request_access_security_header"
+      "request_access_security_header",
+      "team_type"
     ]
   },
   {
diff --git a/src/audit-logs/data/ghes-3.15/user.json b/src/audit-logs/data/ghes-3.15/user.json
index 0d328c4eeb5f..345a71979a16 100644
--- a/src/audit-logs/data/ghes-3.15/user.json
+++ b/src/audit-logs/data/ghes-3.15/user.json
@@ -6596,6 +6596,102 @@
       "operation_type"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "successor_invitation.accept",
     "description": "Triggered when you accept a succession invitation.",
diff --git a/src/audit-logs/data/ghes-3.16/enterprise.json b/src/audit-logs/data/ghes-3.16/enterprise.json
index da1d3639b6f2..f26b7cec1bb2 100644
--- a/src/audit-logs/data/ghes-3.16/enterprise.json
+++ b/src/audit-logs/data/ghes-3.16/enterprise.json
@@ -1529,48 +1529,6 @@
     ],
     "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
   },
-  {
-    "action": "business_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
-    "description": "The push protection setting was changed for a secret type for your enterprise.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp",
-      "created_at",
-      "secret_type",
-      "secret_type_display_name",
-      "push_protection_setting"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
-  {
-    "action": "business_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your enterprise.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
   {
     "action": "business.secret_scanning_repo_admin_settings_policy_update",
     "description": "N/A",
@@ -4326,7 +4284,7 @@
   },
   {
     "action": "git.clone",
-    "description": "A repository was cloned.",
+    "description": "A repository was cloned. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -4347,7 +4305,7 @@
   },
   {
     "action": "git.fetch",
-    "description": "Changes were fetched from a repository.",
+    "description": "Changes were fetched from a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "action",
@@ -4369,7 +4327,7 @@
   },
   {
     "action": "git.push",
-    "description": "Changes were pushed to a repository.",
+    "description": "Changes were pushed to a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -7930,52 +7888,6 @@
     ],
     "docs_reference_titles": "About push protection"
   },
-  {
-    "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
-    "description": "The push protection setting was changed for a secret type for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
-      "org_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp",
-      "created_at",
-      "secret_type",
-      "secret_type_display_name",
-      "push_protection_setting"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
-  {
-    "action": "org_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
-      "org_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
   {
     "action": "org.security_center_export_code_scanning_metrics",
     "description": "A CSV export was requested on the CodeQL pull request alerts page.",
@@ -13510,168 +13422,496 @@
     ]
   },
   {
-    "action": "restrict_notification_delivery.disable",
-    "description": "Email notification restrictions for an organization or enterprise were disabled.",
-    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "action": "repository_vulnerability_alert.auto_dismiss",
+    "description": "A Dependabot alert was automatically dismissed because its metadata matches an enabled Dependabot rule.",
+    "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts",
     "fields": [
-      "user_agent",
-      "request_id",
       "actor",
       "actor_id",
-      "business",
-      "business_id",
-      "owner",
+      "user_agent",
+      "request_id",
+      "alert_id",
+      "alert_number",
+      "ghsa_id",
       "action",
-      "operation_type",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "owner",
+      "org",
+      "org_id",
+      "_document_id",
       "@timestamp",
       "created_at",
-      "_document_id"
+      "operation_type",
+      "business",
+      "business_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "request_access_security_header"
     ],
-    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+    "docs_reference_titles": "About Dependabot auto-triage rules"
   },
   {
-    "action": "restrict_notification_delivery.enable",
-    "description": "Email notification restrictions for an organization or enterprise were enabled.",
-    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "action": "repository_vulnerability_alert.auto_reopen",
+    "description": "A previously auto-dismissed Dependabot alert was automatically reopened because its metadata no longer matches an enabled Dependabot rule.",
+    "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts",
     "fields": [
-      "user_agent",
-      "request_id",
       "actor",
       "actor_id",
+      "user_agent",
+      "request_id",
+      "alert_id",
+      "alert_number",
+      "ghsa_id",
+      "action",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "owner",
       "org",
       "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
       "business_id",
-      "owner",
-      "action",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About Dependabot auto-triage rules"
+  },
+  {
+    "action": "repository_vulnerability_alert.create",
+    "description": "GitHub created a Dependabot alert because the repository uses a vulnerable dependency.",
+    "docs_reference_links": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts",
+    "fields": [
       "operation_type",
+      "request_id",
+      "repo_id",
       "@timestamp",
+      "user_agent",
+      "alert_id",
+      "action",
+      "repo",
       "created_at",
-      "_document_id"
+      "_document_id",
+      "token_scopes",
+      "alert_number",
+      "programmatic_access_type"
     ],
-    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+    "docs_reference_titles": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts"
   },
   {
-    "action": "secret_scanning_alert.create",
-    "description": "GitHub detected a secret and created a secret scanning alert.",
-    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "action": "repository_vulnerability_alert.dismiss",
+    "description": "A Dependabot alert was manually dismissed.",
+    "docs_reference_links": "N/A",
     "fields": [
       "repo_id",
-      "repo",
-      "actor_id",
-      "actor",
       "org_id",
+      "user_id",
+      "request_id",
+      "@timestamp",
+      "operation_type",
+      "user_agent",
+      "alert_id",
+      "actor",
+      "repo",
+      "created_at",
       "org",
-      "business",
-      "business_id",
-      "number",
-      "secret_type",
-      "secret_type_display_name",
-      "publicly_leaked",
-      "multi_repo"
-    ],
-    "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
+      "_document_id",
+      "action",
+      "actor_id",
+      "dismiss_reason",
+      "user",
+      "dismiss_comment",
+      "alert_number",
+      "actor_is_bot"
+    ]
   },
   {
-    "action": "secret_scanning_alert.reopen",
-    "description": "A secret scanning alert was reopened.",
+    "action": "repository_vulnerability_alert.reintroduce",
+    "description": "A Dependabot alert was automatically reopened because the repository resumed use of a vulnerable dependency.",
     "docs_reference_links": "N/A",
     "fields": [
       "user_agent",
       "request_id",
       "actor",
       "actor_id",
-      "number",
-      "user",
-      "user_id",
+      "alert_id",
+      "created_at",
+      "action",
       "repo",
       "repo_id",
       "public_repo",
-      "action",
+      "owner",
       "_document_id",
       "@timestamp",
-      "created_at",
       "operation_type",
       "token_scopes",
-      "secret_type_display_name"
+      "alert_number"
     ]
   },
   {
-    "action": "secret_scanning_alert.resolve",
-    "description": "A secret scanning alert was resolved.",
+    "action": "repository_vulnerability_alert.reopen",
+    "description": "A Dependabot alert was manually reopened.",
     "docs_reference_links": "N/A",
     "fields": [
       "user_agent",
       "request_id",
       "actor",
       "actor_id",
-      "number",
-      "resolution",
-      "user",
-      "user_id",
+      "alert_id",
+      "created_at",
+      "action",
       "repo",
       "repo_id",
-      "public_repo",
-      "action",
+      "owner",
+      "org",
+      "org_id",
       "_document_id",
       "@timestamp",
-      "created_at",
       "operation_type",
-      "token_scopes",
-      "secret_type",
-      "secret_type_display_name",
-      "publicly_leaked",
-      "multi_repo",
+      "business",
+      "business_id",
+      "public_repo",
+      "alert_number",
       "request_access_security_header"
     ]
   },
   {
-    "action": "secret_scanning_alert.revoke",
-    "description": "A secret scanning alert was revoked.",
+    "action": "repository_vulnerability_alert.resolve",
+    "description": "Changes were pushed to update and resolve a Dependabot alert in a project dependency.",
     "docs_reference_links": "N/A",
     "fields": [
+      "alert_id",
+      "repo",
+      "operation_type",
+      "action",
+      "repo_id",
+      "_document_id",
       "user_agent",
       "request_id",
+      "@timestamp",
+      "created_at",
       "actor",
       "actor_id",
-      "number",
-      "user",
-      "user_id",
+      "token_scopes",
+      "alert_number",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alert.withdraw",
+    "description": "A Dependabot alert was withdrawn.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "alert_id",
+      "alert_number",
+      "ghsa_id",
+      "created_at",
+      "active",
+      "action",
+      "repository_id",
       "repo",
       "repo_id",
       "public_repo",
+      "owner",
       "org",
       "org_id",
-      "action",
       "_document_id",
       "@timestamp",
-      "created_at",
-      "operation_type",
-      "business",
-      "business_id"
+      "operation_type"
     ]
   },
   {
-    "action": "secret_scanning_alert.validate",
-    "description": "A secret scanning alert was validated.",
-    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "action": "repository_vulnerability_alerts.authorized_users_teams",
+    "description": "The list of people or teams authorized to receive Dependabot alerts for the repository was updated.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts",
     "fields": [
-      "repo_id",
+      "org",
+      "_document_id",
       "repo",
-      "actor_id",
-      "actor",
       "org_id",
-      "org",
-      "business",
-      "business_id",
-      "number",
+      "operation_type",
       "created_at",
-      "previous_validity",
-      "current_validity",
-      "secret_type",
-      "secret_type_display_name",
-      "publicly_leaked",
-      "multi_repo"
-    ],
+      "actor",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "repo_id",
+      "request_id",
+      "actor_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts"
+  },
+  {
+    "action": "repository_vulnerability_alerts_auto_dismissal.disable",
+    "description": "Automatic dismissal of low-impact Dependabot alerts was disabled for the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts_auto_dismissal.enable",
+    "description": "Automatic dismissal of low-impact Dependabot alerts was enabled for the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts.disable",
+    "description": "Dependabot alerts was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "request_id",
+      "repo_id",
+      "action",
+      "actor_id",
+      "@timestamp",
+      "created_at",
+      "actor",
+      "user_agent",
+      "org_id",
+      "user",
+      "org",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts.enable",
+    "description": "Dependabot alerts was enabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "user_agent",
+      "created_at",
+      "@timestamp",
+      "repo_id",
+      "action",
+      "user",
+      "repo",
+      "org",
+      "org_id",
+      "actor_id",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "request_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "restrict_notification_delivery.disable",
+    "description": "Email notification restrictions for an organization or enterprise were disabled.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "business",
+      "business_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+  },
+  {
+    "action": "restrict_notification_delivery.enable",
+    "description": "Email notification restrictions for an organization or enterprise were enabled.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+  },
+  {
+    "action": "secret_scanning_alert.create",
+    "description": "GitHub detected a secret and created a secret scanning alert.",
+    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo"
+    ],
+    "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
+  },
+  {
+    "action": "secret_scanning_alert.reopen",
+    "description": "A secret scanning alert was reopened.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "secret_type_display_name"
+    ]
+  },
+  {
+    "action": "secret_scanning_alert.resolve",
+    "description": "A secret scanning alert was resolved.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "number",
+      "resolution",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "secret_scanning_alert.revoke",
+    "description": "A secret scanning alert was revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "secret_scanning_alert.validate",
+    "description": "A secret scanning alert was validated.",
+    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "created_at",
+      "previous_validity",
+      "current_validity",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo"
+    ],
     "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
   },
   {
@@ -14679,6 +14919,102 @@
       "_document_id"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "successor_invitation.accept",
     "description": "Triggered when you accept a succession invitation.",
@@ -14799,7 +15135,8 @@
       "org",
       "action",
       "actor",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team"
   },
@@ -14865,7 +15202,8 @@
       "org_id",
       "@timestamp",
       "actor",
-      "_document_id"
+      "_document_id",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility"
   },
@@ -14888,7 +15226,8 @@
       "created_at",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -14931,7 +15270,8 @@
       "request_id",
       "operation_type",
       "_document_id",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -15039,7 +15379,8 @@
       "user_agent",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team"
   },
@@ -15084,7 +15425,8 @@
       "@timestamp",
       "_document_id",
       "programmatic_access_type",
-      "request_access_security_header"
+      "request_access_security_header",
+      "team_type"
     ]
   },
   {
@@ -16758,6 +17100,150 @@
       "request_access_security_header"
     ]
   },
+  {
+    "action": "vulnerability_alert_rule.create",
+    "description": "A Dependabot rule was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.delete",
+    "description": "A Dependabot rule was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.disable",
+    "description": "A Dependabot rule was disabled for a single repository or disabled by default for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.enable",
+    "description": "A Dependabot rule was enabled for a single repository or enabled by default for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.force_disable",
+    "description": "A Dependabot rule was enabled for an organization and cannot be disabled for its repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.force_enable",
+    "description": "A Dependabot rule was disabled for an organization and cannot be enabled for its repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.update",
+    "description": "A Dependabot rule's conditions, actions, or metadata changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "workflows.approve_workflow_job",
     "description": "A workflow job was approved.",
diff --git a/src/audit-logs/data/ghes-3.16/organization.json b/src/audit-logs/data/ghes-3.16/organization.json
index a07015de5c15..5af0af1ad547 100644
--- a/src/audit-logs/data/ghes-3.16/organization.json
+++ b/src/audit-logs/data/ghes-3.16/organization.json
@@ -2203,7 +2203,7 @@
   },
   {
     "action": "git.clone",
-    "description": "A repository was cloned.",
+    "description": "A repository was cloned. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -2224,7 +2224,7 @@
   },
   {
     "action": "git.fetch",
-    "description": "Changes were fetched from a repository.",
+    "description": "Changes were fetched from a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "action",
@@ -2246,7 +2246,7 @@
   },
   {
     "action": "git.push",
-    "description": "Changes were pushed to a repository.",
+    "description": "Changes were pushed to a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -5725,7 +5725,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -5788,7 +5789,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -7000,27 +7002,6 @@
     ],
     "docs_reference_titles": "About push protection"
   },
-  {
-    "action": "org_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
-      "org_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
   {
     "action": "org.security_center_export_code_scanning_metrics",
     "description": "A CSV export was requested on the CodeQL pull request alerts page.",
@@ -15179,6 +15160,102 @@
       "_document_id"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "team.add_member",
     "description": "A member of an organization was added to a team.",
@@ -15198,7 +15275,8 @@
       "org",
       "action",
       "actor",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team"
   },
@@ -15264,7 +15342,8 @@
       "org_id",
       "@timestamp",
       "actor",
-      "_document_id"
+      "_document_id",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility"
   },
@@ -15287,7 +15366,8 @@
       "created_at",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -15330,7 +15410,8 @@
       "request_id",
       "operation_type",
       "_document_id",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -15501,7 +15582,8 @@
       "user_agent",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team"
   },
@@ -15546,7 +15628,8 @@
       "@timestamp",
       "_document_id",
       "programmatic_access_type",
-      "request_access_security_header"
+      "request_access_security_header",
+      "team_type"
     ]
   },
   {
diff --git a/src/audit-logs/data/ghes-3.16/user.json b/src/audit-logs/data/ghes-3.16/user.json
index 0c21912c94e1..424a6cbfe281 100644
--- a/src/audit-logs/data/ghes-3.16/user.json
+++ b/src/audit-logs/data/ghes-3.16/user.json
@@ -6750,6 +6750,102 @@
       "operation_type"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "successor_invitation.accept",
     "description": "Triggered when you accept a succession invitation.",
diff --git a/src/audit-logs/data/ghes-3.17/enterprise.json b/src/audit-logs/data/ghes-3.17/enterprise.json
index 41ad6afc1bd3..2a8662b06140 100644
--- a/src/audit-logs/data/ghes-3.17/enterprise.json
+++ b/src/audit-logs/data/ghes-3.17/enterprise.json
@@ -1552,48 +1552,6 @@
     ],
     "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
   },
-  {
-    "action": "business_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
-    "description": "The push protection setting was changed for a secret type for your enterprise.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp",
-      "created_at",
-      "secret_type",
-      "secret_type_display_name",
-      "push_protection_setting"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
-  {
-    "action": "business_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your enterprise.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
   {
     "action": "business.secret_scanning_repo_admin_settings_policy_update",
     "description": "N/A",
@@ -4479,7 +4437,7 @@
   },
   {
     "action": "git.clone",
-    "description": "A repository was cloned.",
+    "description": "A repository was cloned. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -4500,7 +4458,7 @@
   },
   {
     "action": "git.fetch",
-    "description": "Changes were fetched from a repository.",
+    "description": "Changes were fetched from a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "action",
@@ -4522,7 +4480,7 @@
   },
   {
     "action": "git.push",
-    "description": "Changes were pushed to a repository.",
+    "description": "Changes were pushed to a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -8174,52 +8132,6 @@
     ],
     "docs_reference_titles": "About push protection"
   },
-  {
-    "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
-    "description": "The push protection setting was changed for a secret type for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
-      "org_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp",
-      "created_at",
-      "secret_type",
-      "secret_type_display_name",
-      "push_protection_setting"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
-  {
-    "action": "org_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
-      "org_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
   {
     "action": "org.security_center_export_code_scanning_metrics",
     "description": "A CSV export was requested on the CodeQL pull request alerts page.",
@@ -13928,168 +13840,496 @@
     ]
   },
   {
-    "action": "restrict_notification_delivery.disable",
-    "description": "Email notification restrictions for an organization or enterprise were disabled.",
-    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "action": "repository_vulnerability_alert.auto_dismiss",
+    "description": "A Dependabot alert was automatically dismissed because its metadata matches an enabled Dependabot rule.",
+    "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts",
     "fields": [
-      "user_agent",
-      "request_id",
       "actor",
       "actor_id",
-      "business",
-      "business_id",
-      "owner",
+      "user_agent",
+      "request_id",
+      "alert_id",
+      "alert_number",
+      "ghsa_id",
       "action",
-      "operation_type",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "owner",
+      "org",
+      "org_id",
+      "_document_id",
       "@timestamp",
       "created_at",
-      "_document_id"
+      "operation_type",
+      "business",
+      "business_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "request_access_security_header"
     ],
-    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+    "docs_reference_titles": "About Dependabot auto-triage rules"
   },
   {
-    "action": "restrict_notification_delivery.enable",
-    "description": "Email notification restrictions for an organization or enterprise were enabled.",
-    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "action": "repository_vulnerability_alert.auto_reopen",
+    "description": "A previously auto-dismissed Dependabot alert was automatically reopened because its metadata no longer matches an enabled Dependabot rule.",
+    "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts",
     "fields": [
-      "user_agent",
-      "request_id",
       "actor",
       "actor_id",
+      "user_agent",
+      "request_id",
+      "alert_id",
+      "alert_number",
+      "ghsa_id",
+      "action",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "owner",
       "org",
       "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
       "business_id",
-      "owner",
-      "action",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About Dependabot auto-triage rules"
+  },
+  {
+    "action": "repository_vulnerability_alert.create",
+    "description": "GitHub created a Dependabot alert because the repository uses a vulnerable dependency.",
+    "docs_reference_links": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts",
+    "fields": [
       "operation_type",
+      "request_id",
+      "repo_id",
       "@timestamp",
+      "user_agent",
+      "alert_id",
+      "action",
+      "repo",
       "created_at",
-      "_document_id"
+      "_document_id",
+      "token_scopes",
+      "alert_number",
+      "programmatic_access_type"
     ],
-    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+    "docs_reference_titles": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts"
   },
   {
-    "action": "secret_scanning_alert.create",
-    "description": "GitHub detected a secret and created a secret scanning alert.",
-    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "action": "repository_vulnerability_alert.dismiss",
+    "description": "A Dependabot alert was manually dismissed.",
+    "docs_reference_links": "N/A",
     "fields": [
       "repo_id",
-      "repo",
-      "actor_id",
-      "actor",
       "org_id",
+      "user_id",
+      "request_id",
+      "@timestamp",
+      "operation_type",
+      "user_agent",
+      "alert_id",
+      "actor",
+      "repo",
+      "created_at",
       "org",
-      "business",
-      "business_id",
-      "number",
-      "secret_type",
-      "secret_type_display_name",
-      "publicly_leaked",
-      "multi_repo"
-    ],
-    "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
+      "_document_id",
+      "action",
+      "actor_id",
+      "dismiss_reason",
+      "user",
+      "dismiss_comment",
+      "alert_number",
+      "actor_is_bot"
+    ]
   },
   {
-    "action": "secret_scanning_alert.reopen",
-    "description": "A secret scanning alert was reopened.",
+    "action": "repository_vulnerability_alert.reintroduce",
+    "description": "A Dependabot alert was automatically reopened because the repository resumed use of a vulnerable dependency.",
     "docs_reference_links": "N/A",
     "fields": [
       "user_agent",
       "request_id",
       "actor",
       "actor_id",
-      "number",
-      "user",
-      "user_id",
+      "alert_id",
+      "created_at",
+      "action",
       "repo",
       "repo_id",
       "public_repo",
-      "action",
+      "owner",
       "_document_id",
       "@timestamp",
-      "created_at",
       "operation_type",
       "token_scopes",
-      "secret_type_display_name"
+      "alert_number"
     ]
   },
   {
-    "action": "secret_scanning_alert.resolve",
-    "description": "A secret scanning alert was resolved.",
+    "action": "repository_vulnerability_alert.reopen",
+    "description": "A Dependabot alert was manually reopened.",
     "docs_reference_links": "N/A",
     "fields": [
       "user_agent",
       "request_id",
       "actor",
       "actor_id",
-      "number",
-      "resolution",
-      "user",
-      "user_id",
+      "alert_id",
+      "created_at",
+      "action",
       "repo",
       "repo_id",
-      "public_repo",
-      "action",
+      "owner",
+      "org",
+      "org_id",
       "_document_id",
       "@timestamp",
-      "created_at",
       "operation_type",
-      "token_scopes",
-      "secret_type",
-      "secret_type_display_name",
-      "publicly_leaked",
-      "multi_repo",
+      "business",
+      "business_id",
+      "public_repo",
+      "alert_number",
       "request_access_security_header"
     ]
   },
   {
-    "action": "secret_scanning_alert.revoke",
-    "description": "A secret scanning alert was revoked.",
+    "action": "repository_vulnerability_alert.resolve",
+    "description": "Changes were pushed to update and resolve a Dependabot alert in a project dependency.",
     "docs_reference_links": "N/A",
     "fields": [
+      "alert_id",
+      "repo",
+      "operation_type",
+      "action",
+      "repo_id",
+      "_document_id",
       "user_agent",
       "request_id",
+      "@timestamp",
+      "created_at",
       "actor",
       "actor_id",
-      "number",
-      "user",
-      "user_id",
+      "token_scopes",
+      "alert_number",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alert.withdraw",
+    "description": "A Dependabot alert was withdrawn.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "alert_id",
+      "alert_number",
+      "ghsa_id",
+      "created_at",
+      "active",
+      "action",
+      "repository_id",
       "repo",
       "repo_id",
       "public_repo",
+      "owner",
       "org",
       "org_id",
-      "action",
       "_document_id",
       "@timestamp",
-      "created_at",
-      "operation_type",
-      "business",
-      "business_id"
+      "operation_type"
     ]
   },
   {
-    "action": "secret_scanning_alert.validate",
-    "description": "A secret scanning alert was validated.",
-    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "action": "repository_vulnerability_alerts.authorized_users_teams",
+    "description": "The list of people or teams authorized to receive Dependabot alerts for the repository was updated.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts",
     "fields": [
-      "repo_id",
+      "org",
+      "_document_id",
       "repo",
-      "actor_id",
-      "actor",
       "org_id",
-      "org",
-      "business",
-      "business_id",
-      "number",
+      "operation_type",
       "created_at",
-      "previous_validity",
-      "current_validity",
-      "secret_type",
-      "secret_type_display_name",
-      "publicly_leaked",
-      "multi_repo"
-    ],
+      "actor",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "repo_id",
+      "request_id",
+      "actor_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts"
+  },
+  {
+    "action": "repository_vulnerability_alerts_auto_dismissal.disable",
+    "description": "Automatic dismissal of low-impact Dependabot alerts was disabled for the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts_auto_dismissal.enable",
+    "description": "Automatic dismissal of low-impact Dependabot alerts was enabled for the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts.disable",
+    "description": "Dependabot alerts was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "request_id",
+      "repo_id",
+      "action",
+      "actor_id",
+      "@timestamp",
+      "created_at",
+      "actor",
+      "user_agent",
+      "org_id",
+      "user",
+      "org",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts.enable",
+    "description": "Dependabot alerts was enabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "user_agent",
+      "created_at",
+      "@timestamp",
+      "repo_id",
+      "action",
+      "user",
+      "repo",
+      "org",
+      "org_id",
+      "actor_id",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "request_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "restrict_notification_delivery.disable",
+    "description": "Email notification restrictions for an organization or enterprise were disabled.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "business",
+      "business_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+  },
+  {
+    "action": "restrict_notification_delivery.enable",
+    "description": "Email notification restrictions for an organization or enterprise were enabled.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+  },
+  {
+    "action": "secret_scanning_alert.create",
+    "description": "GitHub detected a secret and created a secret scanning alert.",
+    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo"
+    ],
+    "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
+  },
+  {
+    "action": "secret_scanning_alert.reopen",
+    "description": "A secret scanning alert was reopened.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "secret_type_display_name"
+    ]
+  },
+  {
+    "action": "secret_scanning_alert.resolve",
+    "description": "A secret scanning alert was resolved.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "number",
+      "resolution",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "secret_scanning_alert.revoke",
+    "description": "A secret scanning alert was revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "secret_scanning_alert.validate",
+    "description": "A secret scanning alert was validated.",
+    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "created_at",
+      "previous_validity",
+      "current_validity",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo"
+    ],
     "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
   },
   {
@@ -15126,6 +15366,102 @@
       "_document_id"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "successor_invitation.accept",
     "description": "Triggered when you accept a succession invitation.",
@@ -15246,7 +15582,8 @@
       "org",
       "action",
       "actor",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team"
   },
@@ -15312,7 +15649,8 @@
       "org_id",
       "@timestamp",
       "actor",
-      "_document_id"
+      "_document_id",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility"
   },
@@ -15335,7 +15673,8 @@
       "created_at",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -15378,7 +15717,8 @@
       "request_id",
       "operation_type",
       "_document_id",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -15486,7 +15826,8 @@
       "user_agent",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team"
   },
@@ -15531,7 +15872,8 @@
       "@timestamp",
       "_document_id",
       "programmatic_access_type",
-      "request_access_security_header"
+      "request_access_security_header",
+      "team_type"
     ]
   },
   {
@@ -17205,6 +17547,150 @@
       "request_access_security_header"
     ]
   },
+  {
+    "action": "vulnerability_alert_rule.create",
+    "description": "A Dependabot rule was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.delete",
+    "description": "A Dependabot rule was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.disable",
+    "description": "A Dependabot rule was disabled for a single repository or disabled by default for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.enable",
+    "description": "A Dependabot rule was enabled for a single repository or enabled by default for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.force_disable",
+    "description": "A Dependabot rule was enabled for an organization and cannot be disabled for its repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.force_enable",
+    "description": "A Dependabot rule was disabled for an organization and cannot be enabled for its repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.update",
+    "description": "A Dependabot rule's conditions, actions, or metadata changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "workflows.approve_workflow_job",
     "description": "A workflow job was approved.",
diff --git a/src/audit-logs/data/ghes-3.17/organization.json b/src/audit-logs/data/ghes-3.17/organization.json
index 1c294a17cc48..4511866781ce 100644
--- a/src/audit-logs/data/ghes-3.17/organization.json
+++ b/src/audit-logs/data/ghes-3.17/organization.json
@@ -2369,7 +2369,7 @@
   },
   {
     "action": "git.clone",
-    "description": "A repository was cloned.",
+    "description": "A repository was cloned. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -2390,7 +2390,7 @@
   },
   {
     "action": "git.fetch",
-    "description": "Changes were fetched from a repository.",
+    "description": "Changes were fetched from a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "action",
@@ -2412,7 +2412,7 @@
   },
   {
     "action": "git.push",
-    "description": "Changes were pushed to a repository.",
+    "description": "Changes were pushed to a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -5915,7 +5915,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -5978,7 +5979,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -7190,27 +7192,6 @@
     ],
     "docs_reference_titles": "About push protection"
   },
-  {
-    "action": "org_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
-      "org_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
   {
     "action": "org.security_center_export_code_scanning_metrics",
     "description": "A CSV export was requested on the CodeQL pull request alerts page.",
@@ -15594,6 +15575,102 @@
       "_document_id"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "team.add_member",
     "description": "A member of an organization was added to a team.",
@@ -15613,7 +15690,8 @@
       "org",
       "action",
       "actor",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team"
   },
@@ -15679,7 +15757,8 @@
       "org_id",
       "@timestamp",
       "actor",
-      "_document_id"
+      "_document_id",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility"
   },
@@ -15702,7 +15781,8 @@
       "created_at",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -15745,7 +15825,8 @@
       "request_id",
       "operation_type",
       "_document_id",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -15916,7 +15997,8 @@
       "user_agent",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team"
   },
@@ -15961,7 +16043,8 @@
       "@timestamp",
       "_document_id",
       "programmatic_access_type",
-      "request_access_security_header"
+      "request_access_security_header",
+      "team_type"
     ]
   },
   {
diff --git a/src/audit-logs/data/ghes-3.17/user.json b/src/audit-logs/data/ghes-3.17/user.json
index d8f80000e775..0ee395d2b3fe 100644
--- a/src/audit-logs/data/ghes-3.17/user.json
+++ b/src/audit-logs/data/ghes-3.17/user.json
@@ -6813,6 +6813,102 @@
       "operation_type"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "successor_invitation.accept",
     "description": "Triggered when you accept a succession invitation.",
diff --git a/src/audit-logs/data/ghes-3.18/enterprise.json b/src/audit-logs/data/ghes-3.18/enterprise.json
index 706c6a8ec582..c703587473fb 100644
--- a/src/audit-logs/data/ghes-3.18/enterprise.json
+++ b/src/audit-logs/data/ghes-3.18/enterprise.json
@@ -1552,48 +1552,6 @@
     ],
     "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
   },
-  {
-    "action": "business_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
-    "description": "The push protection setting was changed for a secret type for your enterprise.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp",
-      "created_at",
-      "secret_type",
-      "secret_type_display_name",
-      "push_protection_setting"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
-  {
-    "action": "business_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your enterprise.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
   {
     "action": "business.secret_scanning_repo_admin_settings_policy_update",
     "description": "N/A",
@@ -4528,7 +4486,7 @@
   },
   {
     "action": "git.clone",
-    "description": "A repository was cloned.",
+    "description": "A repository was cloned. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -4549,7 +4507,7 @@
   },
   {
     "action": "git.fetch",
-    "description": "Changes were fetched from a repository.",
+    "description": "Changes were fetched from a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "action",
@@ -4571,7 +4529,7 @@
   },
   {
     "action": "git.push",
-    "description": "Changes were pushed to a repository.",
+    "description": "Changes were pushed to a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -8223,52 +8181,6 @@
     ],
     "docs_reference_titles": "About push protection"
   },
-  {
-    "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
-    "description": "The push protection setting was changed for a secret type for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
-      "org_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp",
-      "created_at",
-      "secret_type",
-      "secret_type_display_name",
-      "push_protection_setting"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
-  {
-    "action": "org_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
-      "org_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
   {
     "action": "org.security_center_export_code_scanning_metrics",
     "description": "A CSV export was requested on the CodeQL pull request alerts page.",
@@ -14031,168 +13943,496 @@
     ]
   },
   {
-    "action": "restrict_notification_delivery.disable",
-    "description": "Email notification restrictions for an organization or enterprise were disabled.",
-    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "action": "repository_vulnerability_alert.auto_dismiss",
+    "description": "A Dependabot alert was automatically dismissed because its metadata matches an enabled Dependabot rule.",
+    "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts",
     "fields": [
-      "user_agent",
-      "request_id",
       "actor",
       "actor_id",
-      "business",
-      "business_id",
-      "owner",
+      "user_agent",
+      "request_id",
+      "alert_id",
+      "alert_number",
+      "ghsa_id",
       "action",
-      "operation_type",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "owner",
+      "org",
+      "org_id",
+      "_document_id",
       "@timestamp",
       "created_at",
-      "_document_id"
+      "operation_type",
+      "business",
+      "business_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "request_access_security_header"
     ],
-    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+    "docs_reference_titles": "About Dependabot auto-triage rules"
   },
   {
-    "action": "restrict_notification_delivery.enable",
-    "description": "Email notification restrictions for an organization or enterprise were enabled.",
-    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "action": "repository_vulnerability_alert.auto_reopen",
+    "description": "A previously auto-dismissed Dependabot alert was automatically reopened because its metadata no longer matches an enabled Dependabot rule.",
+    "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts",
     "fields": [
-      "user_agent",
-      "request_id",
       "actor",
       "actor_id",
+      "user_agent",
+      "request_id",
+      "alert_id",
+      "alert_number",
+      "ghsa_id",
+      "action",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "owner",
       "org",
       "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
       "business_id",
-      "owner",
-      "action",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About Dependabot auto-triage rules"
+  },
+  {
+    "action": "repository_vulnerability_alert.create",
+    "description": "GitHub created a Dependabot alert because the repository uses a vulnerable dependency.",
+    "docs_reference_links": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts",
+    "fields": [
       "operation_type",
+      "request_id",
+      "repo_id",
       "@timestamp",
+      "user_agent",
+      "alert_id",
+      "action",
+      "repo",
       "created_at",
-      "_document_id"
+      "_document_id",
+      "token_scopes",
+      "alert_number",
+      "programmatic_access_type"
     ],
-    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+    "docs_reference_titles": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts"
   },
   {
-    "action": "secret_scanning_alert.create",
-    "description": "GitHub detected a secret and created a secret scanning alert.",
-    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "action": "repository_vulnerability_alert.dismiss",
+    "description": "A Dependabot alert was manually dismissed.",
+    "docs_reference_links": "N/A",
     "fields": [
       "repo_id",
-      "repo",
-      "actor_id",
-      "actor",
       "org_id",
+      "user_id",
+      "request_id",
+      "@timestamp",
+      "operation_type",
+      "user_agent",
+      "alert_id",
+      "actor",
+      "repo",
+      "created_at",
       "org",
-      "business",
-      "business_id",
-      "number",
-      "secret_type",
-      "secret_type_display_name",
-      "publicly_leaked",
-      "multi_repo"
-    ],
-    "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
+      "_document_id",
+      "action",
+      "actor_id",
+      "dismiss_reason",
+      "user",
+      "dismiss_comment",
+      "alert_number",
+      "actor_is_bot"
+    ]
   },
   {
-    "action": "secret_scanning_alert.reopen",
-    "description": "A secret scanning alert was reopened.",
+    "action": "repository_vulnerability_alert.reintroduce",
+    "description": "A Dependabot alert was automatically reopened because the repository resumed use of a vulnerable dependency.",
     "docs_reference_links": "N/A",
     "fields": [
       "user_agent",
       "request_id",
       "actor",
       "actor_id",
-      "number",
-      "user",
-      "user_id",
+      "alert_id",
+      "created_at",
+      "action",
       "repo",
       "repo_id",
       "public_repo",
-      "action",
+      "owner",
       "_document_id",
       "@timestamp",
-      "created_at",
       "operation_type",
       "token_scopes",
-      "secret_type_display_name"
+      "alert_number"
     ]
   },
   {
-    "action": "secret_scanning_alert.resolve",
-    "description": "A secret scanning alert was resolved.",
+    "action": "repository_vulnerability_alert.reopen",
+    "description": "A Dependabot alert was manually reopened.",
     "docs_reference_links": "N/A",
     "fields": [
       "user_agent",
       "request_id",
       "actor",
       "actor_id",
-      "number",
-      "resolution",
-      "user",
-      "user_id",
+      "alert_id",
+      "created_at",
+      "action",
       "repo",
       "repo_id",
-      "public_repo",
-      "action",
+      "owner",
+      "org",
+      "org_id",
       "_document_id",
       "@timestamp",
-      "created_at",
       "operation_type",
-      "token_scopes",
-      "secret_type",
-      "secret_type_display_name",
-      "publicly_leaked",
-      "multi_repo",
+      "business",
+      "business_id",
+      "public_repo",
+      "alert_number",
       "request_access_security_header"
     ]
   },
   {
-    "action": "secret_scanning_alert.revoke",
-    "description": "A secret scanning alert was revoked.",
+    "action": "repository_vulnerability_alert.resolve",
+    "description": "Changes were pushed to update and resolve a Dependabot alert in a project dependency.",
     "docs_reference_links": "N/A",
     "fields": [
+      "alert_id",
+      "repo",
+      "operation_type",
+      "action",
+      "repo_id",
+      "_document_id",
       "user_agent",
       "request_id",
+      "@timestamp",
+      "created_at",
       "actor",
       "actor_id",
-      "number",
-      "user",
-      "user_id",
+      "token_scopes",
+      "alert_number",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alert.withdraw",
+    "description": "A Dependabot alert was withdrawn.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "alert_id",
+      "alert_number",
+      "ghsa_id",
+      "created_at",
+      "active",
+      "action",
+      "repository_id",
       "repo",
       "repo_id",
       "public_repo",
+      "owner",
       "org",
       "org_id",
-      "action",
       "_document_id",
       "@timestamp",
-      "created_at",
-      "operation_type",
-      "business",
-      "business_id"
+      "operation_type"
     ]
   },
   {
-    "action": "secret_scanning_alert.validate",
-    "description": "A secret scanning alert was validated.",
-    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "action": "repository_vulnerability_alerts.authorized_users_teams",
+    "description": "The list of people or teams authorized to receive Dependabot alerts for the repository was updated.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts",
     "fields": [
-      "repo_id",
+      "org",
+      "_document_id",
       "repo",
-      "actor_id",
-      "actor",
       "org_id",
-      "org",
-      "business",
-      "business_id",
-      "number",
+      "operation_type",
       "created_at",
-      "previous_validity",
-      "current_validity",
-      "secret_type",
-      "secret_type_display_name",
-      "publicly_leaked",
-      "multi_repo"
-    ],
+      "actor",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "repo_id",
+      "request_id",
+      "actor_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts"
+  },
+  {
+    "action": "repository_vulnerability_alerts_auto_dismissal.disable",
+    "description": "Automatic dismissal of low-impact Dependabot alerts was disabled for the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts_auto_dismissal.enable",
+    "description": "Automatic dismissal of low-impact Dependabot alerts was enabled for the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts.disable",
+    "description": "Dependabot alerts was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "request_id",
+      "repo_id",
+      "action",
+      "actor_id",
+      "@timestamp",
+      "created_at",
+      "actor",
+      "user_agent",
+      "org_id",
+      "user",
+      "org",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts.enable",
+    "description": "Dependabot alerts was enabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "user_agent",
+      "created_at",
+      "@timestamp",
+      "repo_id",
+      "action",
+      "user",
+      "repo",
+      "org",
+      "org_id",
+      "actor_id",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "request_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "restrict_notification_delivery.disable",
+    "description": "Email notification restrictions for an organization or enterprise were disabled.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "business",
+      "business_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+  },
+  {
+    "action": "restrict_notification_delivery.enable",
+    "description": "Email notification restrictions for an organization or enterprise were enabled.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+  },
+  {
+    "action": "secret_scanning_alert.create",
+    "description": "GitHub detected a secret and created a secret scanning alert.",
+    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo"
+    ],
+    "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
+  },
+  {
+    "action": "secret_scanning_alert.reopen",
+    "description": "A secret scanning alert was reopened.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "secret_type_display_name"
+    ]
+  },
+  {
+    "action": "secret_scanning_alert.resolve",
+    "description": "A secret scanning alert was resolved.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "number",
+      "resolution",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "secret_scanning_alert.revoke",
+    "description": "A secret scanning alert was revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "secret_scanning_alert.validate",
+    "description": "A secret scanning alert was validated.",
+    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "created_at",
+      "previous_validity",
+      "current_validity",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo"
+    ],
     "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
   },
   {
@@ -15229,6 +15469,102 @@
       "_document_id"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "successor_invitation.accept",
     "description": "Triggered when you accept a succession invitation.",
@@ -15349,7 +15685,8 @@
       "org",
       "action",
       "actor",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team"
   },
@@ -15415,7 +15752,8 @@
       "org_id",
       "@timestamp",
       "actor",
-      "_document_id"
+      "_document_id",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility"
   },
@@ -15438,7 +15776,8 @@
       "created_at",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -15481,7 +15820,8 @@
       "request_id",
       "operation_type",
       "_document_id",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -15589,7 +15929,8 @@
       "user_agent",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team"
   },
@@ -15634,7 +15975,8 @@
       "@timestamp",
       "_document_id",
       "programmatic_access_type",
-      "request_access_security_header"
+      "request_access_security_header",
+      "team_type"
     ]
   },
   {
@@ -17308,6 +17650,150 @@
       "request_access_security_header"
     ]
   },
+  {
+    "action": "vulnerability_alert_rule.create",
+    "description": "A Dependabot rule was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.delete",
+    "description": "A Dependabot rule was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.disable",
+    "description": "A Dependabot rule was disabled for a single repository or disabled by default for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.enable",
+    "description": "A Dependabot rule was enabled for a single repository or enabled by default for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.force_disable",
+    "description": "A Dependabot rule was enabled for an organization and cannot be disabled for its repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.force_enable",
+    "description": "A Dependabot rule was disabled for an organization and cannot be enabled for its repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.update",
+    "description": "A Dependabot rule's conditions, actions, or metadata changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
   {
     "action": "workflows.approve_workflow_job",
     "description": "A workflow job was approved.",
diff --git a/src/audit-logs/data/ghes-3.18/organization.json b/src/audit-logs/data/ghes-3.18/organization.json
index 812b787ee78f..440fc8c31bec 100644
--- a/src/audit-logs/data/ghes-3.18/organization.json
+++ b/src/audit-logs/data/ghes-3.18/organization.json
@@ -2418,7 +2418,7 @@
   },
   {
     "action": "git.clone",
-    "description": "A repository was cloned.",
+    "description": "A repository was cloned. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -2439,7 +2439,7 @@
   },
   {
     "action": "git.fetch",
-    "description": "Changes were fetched from a repository.",
+    "description": "Changes were fetched from a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "action",
@@ -2461,7 +2461,7 @@
   },
   {
     "action": "git.push",
-    "description": "Changes were pushed to a repository.",
+    "description": "Changes were pushed to a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
     "docs_reference_links": "N/A",
     "fields": [
       "transport_protocol",
@@ -6083,7 +6083,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -6146,7 +6147,8 @@
       "created_at",
       "operation_type",
       "business",
-      "business_id"
+      "business_id",
+      "oauth_application_name"
     ]
   },
   {
@@ -7381,27 +7383,6 @@
     ],
     "docs_reference_titles": "About push protection"
   },
-  {
-    "action": "org_secret_scanning_push_protection_pattern_configuration.updated",
-    "description": "The push protection pattern configuration was updated for your org.",
-    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
-    "fields": [
-      "actor",
-      "actor_id",
-      "user_agent",
-      "request_id",
-      "user",
-      "user_id",
-      "org",
-      "org_id",
-      "business",
-      "business_id",
-      "action",
-      "_document_id",
-      "@timestamp"
-    ],
-    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
-  },
   {
     "action": "org.security_center_export_code_scanning_metrics",
     "description": "A CSV export was requested on the CodeQL pull request alerts page.",
@@ -15893,6 +15874,102 @@
       "_document_id"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "team.add_member",
     "description": "A member of an organization was added to a team.",
@@ -15912,7 +15989,8 @@
       "org",
       "action",
       "actor",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team"
   },
@@ -15978,7 +16056,8 @@
       "org_id",
       "@timestamp",
       "actor",
-      "_document_id"
+      "_document_id",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility"
   },
@@ -16001,7 +16080,8 @@
       "created_at",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -16044,7 +16124,8 @@
       "request_id",
       "operation_type",
       "_document_id",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ]
   },
   {
@@ -16215,7 +16296,8 @@
       "user_agent",
       "_document_id",
       "token_scopes",
-      "programmatic_access_type"
+      "programmatic_access_type",
+      "team_type"
     ],
     "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team"
   },
@@ -16260,7 +16342,8 @@
       "@timestamp",
       "_document_id",
       "programmatic_access_type",
-      "request_access_security_header"
+      "request_access_security_header",
+      "team_type"
     ]
   },
   {
diff --git a/src/audit-logs/data/ghes-3.18/user.json b/src/audit-logs/data/ghes-3.18/user.json
index f344231a33b8..5cf6a4d4fb2a 100644
--- a/src/audit-logs/data/ghes-3.18/user.json
+++ b/src/audit-logs/data/ghes-3.18/user.json
@@ -6839,6 +6839,102 @@
       "operation_type"
     ]
   },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
   {
     "action": "successor_invitation.accept",
     "description": "Triggered when you accept a succession invitation.",
diff --git a/src/audit-logs/data/ghes-3.19/enterprise.json b/src/audit-logs/data/ghes-3.19/enterprise.json
new file mode 100644
index 000000000000..2705f686dc84
--- /dev/null
+++ b/src/audit-logs/data/ghes-3.19/enterprise.json
@@ -0,0 +1,18852 @@
+[
+  {
+    "action": "account.billing_date_change",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org",
+      "@timestamp",
+      "operation_type",
+      "user_agent",
+      "_document_id",
+      "created_at",
+      "action",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org_id"
+    ]
+  },
+  {
+    "action": "account.plan_change",
+    "description": "The account's plan changed.",
+    "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans",
+    "fields": [
+      "actor",
+      "operation_type",
+      "_document_id",
+      "user_agent",
+      "created_at",
+      "actor_id",
+      "request_id",
+      "@timestamp",
+      "user",
+      "action",
+      "user_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "How GitHub billing works"
+  },
+  {
+    "action": "account_recovery_token.confirm",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "action",
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "created_at",
+      "_document_id",
+      "token_id",
+      "user_id",
+      "user",
+      "actor",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "account_recovery_token.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "created_at",
+      "token_id",
+      "user",
+      "request_id",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "user_id",
+      "actor_id",
+      "operation_type",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "account_recovery_token.recover",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "@timestamp",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "actor",
+      "user_agent",
+      "request_id",
+      "action",
+      "_document_id",
+      "user_id",
+      "token_id"
+    ]
+  },
+  {
+    "action": "actions_cache.delete",
+    "description": "A GitHub Actions cache was deleted using the REST API.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "user_id",
+      "user",
+      "repo_id",
+      "repo",
+      "org",
+      "org_id",
+      "actions_cache_id",
+      "actions_cache_key",
+      "actions_cache_version",
+      "actions_cache_scope",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "api.request",
+    "description": "An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
+    "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "request_method",
+      "query_string",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "request_body",
+      "status_code",
+      "url_path",
+      "business",
+      "business_id",
+      "org",
+      "org_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "route",
+      "rate_limit_remaining",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Streaming the audit log for your enterprise"
+  },
+  {
+    "action": "artifact.destroy",
+    "description": "A workflow run artifact was manually deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "actor",
+      "user_agent",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "request_id",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "operation_type",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "audit_log_streaming.check",
+    "description": "A manual check of the endpoint configured for audit log streaming was performed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "audit_log_stream_result",
+      "business_id",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "audit_log_stream_sink_details",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "audit_log_streaming.create",
+    "description": "An endpoint was added for audit log streaming.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "business_id",
+      "business",
+      "audit_log_stream_sink",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "audit_log_stream_id"
+    ]
+  },
+  {
+    "action": "audit_log_streaming.destroy",
+    "description": "An audit log streaming endpoint was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "business_id",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "audit_log_stream_id",
+      "audit_log_stream_sink_details"
+    ]
+  },
+  {
+    "action": "audit_log_streaming.update",
+    "description": "An endpoint configuration was updated for audit log streaming, such as the stream was paused, enabled, or disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "audit_log_stream_enabled",
+      "business_id",
+      "business",
+      "audit_log_stream_sink",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "new_s3_bucket",
+      "old_s3_bucket",
+      "secrets_updated",
+      "new_s3_arn_role",
+      "old_s3_arn_role",
+      "new_azure_blob_container",
+      "old_azure_blob_container",
+      "new_event_hub_instance",
+      "old_event_hub_instance",
+      "new_splunk_domain",
+      "old_splunk_domain",
+      "ssl_verify",
+      "old_gc_bucket"
+    ]
+  },
+  {
+    "action": "billing.budget_create",
+    "description": "A billing budget was created for a business or organization. Includes details about the budget limit, alerting preferences, and recipients.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "pricing_target_type",
+      "pricing_target_id",
+      "budget_limit_type",
+      "alert_recipient_user_ids"
+    ]
+  },
+  {
+    "action": "billing.budget_delete",
+    "description": "A billing budget was deleted for a business or organization. Includes details about the removed budget and any alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "uuid",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "billing.budget_update",
+    "description": "A billing budget was updated for a business or organization. Includes details about the updated limit and alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header",
+      "old_target_amount",
+      "old_budget_limit_type",
+      "old_alert_enabled",
+      "old_target_id"
+    ]
+  },
+  {
+    "action": "billing.change_billing_type",
+    "description": "The way the account pays for GitHub was changed.",
+    "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method",
+    "fields": [
+      "actor_id",
+      "user",
+      "@timestamp",
+      "actor",
+      "user_id",
+      "action",
+      "created_at",
+      "operation_type",
+      "_document_id",
+      "user_agent",
+      "request_id"
+    ],
+    "docs_reference_titles": "Managing your payment and billing information"
+  },
+  {
+    "action": "billing.change_email",
+    "description": "The billing email address changed.",
+    "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email",
+    "fields": [
+      "actor",
+      "operation_type",
+      "actor_id",
+      "org_id",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "created_at",
+      "_document_id",
+      "org",
+      "email",
+      "action",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing your payment and billing information"
+  },
+  {
+    "action": "billing_customer.azure_subscription_linked",
+    "description": "Azure subscription has been linked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "billing_customer.azure_subscription_unlinked",
+    "description": "Azure subscription has been unlinked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "billing.lock",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "oauth_application_id",
+      "@timestamp",
+      "actor_id",
+      "operation_type",
+      "_document_id",
+      "request_id",
+      "actor",
+      "user",
+      "user_id",
+      "user_agent",
+      "created_at",
+      "action"
+    ]
+  },
+  {
+    "action": "billing.unlock",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "user",
+      "operation_type",
+      "user_agent",
+      "created_at",
+      "user_id",
+      "request_id",
+      "actor",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "billing.update_bill_cycle_day",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "business.add_admin",
+    "description": "An enterprise owner was added to an enterprise.",
+    "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise",
+    "fields": [
+      "name",
+      "business",
+      "user",
+      "user_id",
+      "@timestamp",
+      "created_at",
+      "actor",
+      "actor_id",
+      "action",
+      "operation_type",
+      "request_id",
+      "business_id",
+      "_document_id",
+      "user_agent",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Inviting people to manage your enterprise"
+  },
+  {
+    "action": "business.add_organization",
+    "description": "An organization was added to an enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "operation_type",
+      "@timestamp",
+      "actor",
+      "business_id",
+      "org",
+      "action",
+      "user_agent",
+      "actor_id",
+      "name",
+      "created_at",
+      "request_id",
+      "_document_id",
+      "business",
+      "organization_upgrade",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "business_advanced_security.disabled",
+    "description": "GitHub Advanced Security was disabled for your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_advanced_security.disabled_for_new_repos",
+    "description": "GitHub Advanced Security was disabled for new repositories in your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_advanced_security.disabled_for_new_user_namespace_repos",
+    "description": "GitHub Advanced Security was disabled for new user namespace repositories in your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_advanced_security.enabled",
+    "description": "GitHub Advanced Security was enabled for your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_advanced_security.enabled_for_new_repos",
+    "description": "GitHub Advanced Security was enabled for new repositories in your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_advanced_security.enabled_for_new_user_namespace_repos",
+    "description": "GitHub Advanced Security was enabled for new user namespace repositories in your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business.advanced_security_policy_update",
+    "description": "An enterprise owner created, updated, or removed a policy for GitHub Advanced Security.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-code-security-and-analysis-for-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "new_policy",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise"
+  },
+  {
+    "action": "business.advanced_security_repo_admin_enablement_policy_update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "new_policy",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "business_advanced_security.user_namespace_repos_disabled",
+    "description": "GitHub Advanced Security was disabled for user namespace repositories in your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_advanced_security.user_namespace_repos_enabled",
+    "description": "GitHub Advanced Security was enabled for user namespace repositories in your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business.clear_actions_settings",
+    "description": "An enterprise owner or site administrator cleared GitHub Actions policy settings for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.clear_default_repository_permission",
+    "description": "An enterprise owner cleared the base repository permission policy setting for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-base-repository-permissions",
+    "fields": [
+      "name",
+      "operation_type",
+      "business_id",
+      "user_agent",
+      "actor_id",
+      "request_id",
+      "actor",
+      "_document_id",
+      "business",
+      "action",
+      "@timestamp",
+      "created_at"
+    ],
+    "docs_reference_titles": "Enforcing repository management policies in your enterprise"
+  },
+  {
+    "action": "business.clear_members_can_create_repos",
+    "description": "An enterprise owner cleared a restriction on repository creation in organizations in the enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#setting-a-policy-for-repository-creation",
+    "fields": [
+      "user_agent",
+      "actor_id",
+      "business_id",
+      "action",
+      "_document_id",
+      "request_id",
+      "name",
+      "business",
+      "visibility",
+      "created_at",
+      "actor",
+      "operation_type",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Enforcing repository management policies in your enterprise"
+  },
+  {
+    "action": "business.code_scanning_autofix_policy_update",
+    "description": "The policy for Code scanning autofix was updated for an enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "new_policy",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "business.code_scanning_autofix_third_party_tools_policy_update",
+    "description": "The policy for Code scanning autofix third party tools was updated for an enterprise.",
+    "docs_reference_links": "/code-security/getting-started/github-security-features#available-with-github-code-security",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "new_policy",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/code-security/getting-started/github-security-features#available-with-github-code-security"
+  },
+  {
+    "action": "business.code_security_enablement_policy_update",
+    "description": "The policy for Code Security enablement was updated for an enterprise.",
+    "docs_reference_links": "/code-security/getting-started/github-security-features#available-with-github-code-security",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "name",
+      "new_policy",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/code-security/getting-started/github-security-features#available-with-github-code-security"
+  },
+  {
+    "action": "business.create",
+    "description": "An enterprise was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "_document_id",
+      "action",
+      "@timestamp",
+      "request_id",
+      "name",
+      "business",
+      "business_id",
+      "operation_type",
+      "actor",
+      "created_at",
+      "user_agent",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "business_dependabot_alerts_new_repos.disable",
+    "description": "Dependabot alerts were disabled for new repositories in your enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "business_dependabot_alerts_new_repos.enable",
+    "description": "Dependabot alerts were enabled for new repositories in your enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "business.dependabot_alerts_repo_admin_enablement_policy_update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "new_policy",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "business.disable_open_scim",
+    "description": "SCIM provisioning for custom integrations that use the REST API was disabled for the enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "business.disable_source_ip_disclosure",
+    "description": "Display of IP addresses within audit log events for the enterprise was disabled.",
+    "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Displaying IP addresses in the audit log for your enterprise"
+  },
+  {
+    "action": "business.disable_two_factor_requirement",
+    "description": "The requirement for members to have two-factor authentication enabled to access an enterprise was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "@timestamp",
+      "actor",
+      "business",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "business_id",
+      "actor_id",
+      "name",
+      "_document_id",
+      "request_id"
+    ]
+  },
+  {
+    "action": "business.enable_open_scim",
+    "description": "SCIM provisioning for custom integrations that use the REST API was enabled for the enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "business.enable_source_ip_disclosure",
+    "description": "Display of IP addresses within audit log events for the enterprise was enabled.",
+    "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Displaying IP addresses in the audit log for your enterprise"
+  },
+  {
+    "action": "business.enable_two_factor_requirement",
+    "description": "The requirement for members to have two-factor authentication enabled to access an enterprise was enabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "action",
+      "user_agent",
+      "actor",
+      "operation_type",
+      "created_at",
+      "business",
+      "business_id",
+      "name",
+      "_document_id",
+      "request_id",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "business.members_can_update_protected_branches.clear",
+    "description": "An enterprise owner unset a policy for whether members of an enterprise can update protected branches on repositories for individual organizations. Organization owners can choose whether to allow updating protected branches settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "action",
+      "created_at",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "request_id",
+      "business",
+      "name",
+      "operation_type",
+      "user",
+      "user_agent",
+      "business_id",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "business.members_can_update_protected_branches.disable",
+    "description": "The ability for enterprise members to update branch protection rules was disabled. Only enterprise owners can update protected branches.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "business",
+      "business_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "business.members_can_update_protected_branches.enable",
+    "description": "The ability for enterprise members to update branch protection rules was enabled. Enterprise owners and members can update protected branches.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "name",
+      "actor",
+      "operation_type",
+      "_document_id",
+      "business_id",
+      "user",
+      "@timestamp",
+      "business",
+      "actor_id",
+      "created_at",
+      "action",
+      "user_agent",
+      "request_id",
+      "user_id"
+    ]
+  },
+  {
+    "action": "business.remove_admin",
+    "description": "An enterprise owner was removed from an enterprise.",
+    "docs_reference_links": "/admin/user-management/managing-users-in-your-enterprise/inviting-people-to-manage-your-enterprise",
+    "fields": [
+      "actor",
+      "operation_type",
+      "user_agent",
+      "business",
+      "business_id",
+      "@timestamp",
+      "created_at",
+      "request_id",
+      "action",
+      "name",
+      "actor_id",
+      "user_id",
+      "_document_id",
+      "user"
+    ],
+    "docs_reference_titles": "Inviting people to manage your enterprise"
+  },
+  {
+    "action": "business.remove_organization",
+    "description": "An organization was removed from an enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "action",
+      "business",
+      "actor",
+      "actor_id",
+      "request_id",
+      "created_at",
+      "user_agent",
+      "business_id",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "name",
+      "org"
+    ]
+  },
+  {
+    "action": "business.rename_slug",
+    "description": "The slug for the enterprise URL was renamed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "name",
+      "business_id",
+      "user_agent",
+      "action",
+      "actor_id",
+      "operation_type",
+      "actor",
+      "@timestamp",
+      "created_at",
+      "business",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "business.revoke_sso_session",
+    "description": "The SAML single sign-on session for a member in an enterprise was revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "business_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "operation_type",
+      "actor",
+      "_document_id",
+      "actor_id",
+      "name",
+      "@timestamp",
+      "user_id",
+      "action",
+      "created_at",
+      "business"
+    ]
+  },
+  {
+    "action": "business_secret_scanning_automatic_validity_checks.disabled",
+    "description": "Automatic partner validation checks have been disabled at the business level",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_secret_scanning_automatic_validity_checks.enabled",
+    "description": "Automatic partner validation checks have been enabled at the business level",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise#managing-advanced-security-features",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_secret_scanning_custom_pattern.create",
+    "description": "An enterprise-level custom pattern was created for secret scanning.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "business_secret_scanning_custom_pattern.delete",
+    "description": "An enterprise-level custom pattern was removed from secret scanning.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "business_secret_scanning_custom_pattern.publish",
+    "description": "An enterprise-level custom pattern was published for secret scanning.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "business_secret_scanning_custom_pattern_push_protection.disabled",
+    "description": "Push protection for a custom pattern for secret scanning was disabled for your enterprise.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "business_secret_scanning_custom_pattern_push_protection.enabled",
+    "description": "Push protection for a custom pattern for secret scanning was enabled for your enterprise.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-enterprise-account",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "business_secret_scanning_custom_pattern.update",
+    "description": "Changes to an enterprise-level custom pattern were saved and a dry run was executed for secret scanning.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "business_secret_scanning.disable",
+    "description": "Secret scanning was disabled for your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_secret_scanning.disabled_for_new_repos",
+    "description": "Secret scanning was disabled for new repositories in your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_secret_scanning.enable",
+    "description": "Secret scanning was enabled for your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_secret_scanning.enabled_for_new_repos",
+    "description": "Secret scanning was enabled for new repositories in your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_secret_scanning_non_provider_patterns.disabled",
+    "description": "Secret scanning for non-provider patterns was disabled at the enterprise level.",
+    "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Supported secret scanning patterns"
+  },
+  {
+    "action": "business_secret_scanning_non_provider_patterns.enabled",
+    "description": "Secret scanning for non-provider patterns was enabled at the enterprise level.",
+    "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Supported secret scanning patterns"
+  },
+  {
+    "action": "business_secret_scanning_push_protection_custom_message.disable",
+    "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_secret_scanning_push_protection_custom_message.enable",
+    "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_secret_scanning_push_protection_custom_message.update",
+    "description": "The custom message triggered by an attempted push to a push-protected repository was updated for your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_secret_scanning_push_protection.disable",
+    "description": "Push protection for secret scanning was disabled for your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_secret_scanning_push_protection.disabled_for_new_repos",
+    "description": "Push protection for secret scanning was disabled for new repositories in your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_secret_scanning_push_protection.enable",
+    "description": "Push protection for secret scanning was enabled for your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_secret_scanning_push_protection.enabled_for_new_repos",
+    "description": "Push protection for secret scanning was enabled for new repositories in your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
+    "description": "The push protection setting was updated for a secret type for your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor_id",
+      "actor",
+      "business",
+      "business_id",
+      "push_protection_setting",
+      "secret_type",
+      "secret_type_display_name",
+      "created_at"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business_secret_scanning_push_protection_pattern_configuration.updated",
+    "description": "The push protection pattern configuration was updated for your enterprise.",
+    "docs_reference_links": "/admin/code-security/managing-github-advanced-security-for-your-enterprise/managing-github-advanced-security-features-for-your-enterprise",
+    "fields": [
+      "actor_id",
+      "actor",
+      "business",
+      "business_id",
+      "created_at"
+    ],
+    "docs_reference_titles": "Managing GitHub Advanced Security features for your enterprise"
+  },
+  {
+    "action": "business.secret_scanning_repo_admin_settings_policy_update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "new_policy",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "business.security_center_export_code_scanning_metrics",
+    "description": "A CSV export was requested on the \"CodeQL pull request alerts\" page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "start_date",
+      "end_date",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "business.security_center_export_coverage",
+    "description": "A CSV export was requested on the \"Coverage\" page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "business.security_center_export_overview_dashboard",
+    "description": "A CSV export was requested on the \"Overview Dashboard\" page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "start_date",
+      "end_date",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "business.security_center_export_risk",
+    "description": "A CSV export was requested on the \"Risk\" page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "business.set_actions_cache_retention_policy",
+    "description": "The cache retention policy for GitHub Actions was set for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_actions_fork_pr_approvals_policy",
+    "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "policy",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_actions_private_fork_pr_approvals_policy",
+    "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "policy",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_actions_retention_limit",
+    "description": "The retention period for GitHub Actions artifacts and logs was changed for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "limit",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_default_workflow_permissions",
+    "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_fork_pr_workflows_policy",
+    "description": "The policy for fork pull request workflows was changed for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "policy",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_workflow_permission_can_approve_pr",
+    "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.sso_response",
+    "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your enterprise. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "issuer",
+      "name",
+      "user_agent",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "actor",
+      "business",
+      "business_id",
+      "actor_id",
+      "created_at",
+      "request_id",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "business.update_actions_settings",
+    "description": "An enterprise owner or site administrator updated GitHub Actions policy settings for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "updated_github_owned_allowed",
+      "updated_verified_allowed",
+      "updated_patterns",
+      "new_policy",
+      "old_policy",
+      "updated_access_policy"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.update_default_repository_permission",
+    "description": "The base repository permission setting was updated for all organizations in an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-base-repository-permissions",
+    "fields": [
+      "business_id",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "actor_id",
+      "permission",
+      "action",
+      "created_at",
+      "@timestamp",
+      "request_id",
+      "name",
+      "_document_id",
+      "old_permission",
+      "business"
+    ],
+    "docs_reference_titles": "Enforcing repository management policies in your enterprise"
+  },
+  {
+    "action": "business.update_member_repository_creation_permission",
+    "description": "The repository creation setting was updated for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-creation",
+    "fields": [
+      "created_at",
+      "_document_id",
+      "request_id",
+      "name",
+      "business_id",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "operation_type",
+      "permission",
+      "action",
+      "business",
+      "user_agent",
+      "visibility"
+    ],
+    "docs_reference_titles": "Enforcing repository management policies in your enterprise"
+  },
+  {
+    "action": "business.update_member_repository_invitation_permission",
+    "description": "The policy setting for enterprise members inviting outside collaborators to repositories was updated.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-inviting-outside-collaborators-to-repositories",
+    "fields": [
+      "business_id",
+      "created_at",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "request_id",
+      "permission",
+      "actor",
+      "actor_id",
+      "name",
+      "_document_id",
+      "user_agent",
+      "business"
+    ],
+    "docs_reference_titles": "Enforcing repository management policies in your enterprise"
+  },
+  {
+    "action": "checks.auto_trigger_disabled",
+    "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.",
+    "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites",
+    "fields": [
+      "visibility",
+      "user_agent",
+      "user",
+      "@timestamp",
+      "repo",
+      "actor_id",
+      "user_id",
+      "action",
+      "created_at",
+      "actor",
+      "operation_type",
+      "request_id",
+      "repo_id",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites"
+  },
+  {
+    "action": "checks.auto_trigger_enabled",
+    "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.",
+    "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo"
+    ],
+    "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites"
+  },
+  {
+    "action": "checks.delete_logs",
+    "description": "Logs in a check suite were deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "actor",
+      "actor_id",
+      "operation_type",
+      "repo_id",
+      "action",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "code_scanning.alert_appeared_in_branch",
+    "description": "Existing code scanning alerts appeared in a branch.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "repo_id",
+      "alert_number",
+      "commit_oid",
+      "ref",
+      "request_id",
+      "org_id",
+      "org",
+      "business_id",
+      "business",
+      "alert_numbers"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_closed_became_fixed",
+    "description": "Code scanning alerts were fixed.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "repo_id",
+      "alert_number",
+      "commit_oid",
+      "ref",
+      "request_id",
+      "org_id",
+      "org",
+      "business_id",
+      "business",
+      "alert_numbers"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_closed_became_outdated",
+    "description": "Code scanning alerts were closed as outdated (all configurations they were detected in were deleted).",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "repo_id",
+      "alert_numbers",
+      "commit_oid",
+      "ref",
+      "request_id",
+      "org_id",
+      "org",
+      "business_id",
+      "business"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_closed_by_user",
+    "description": "Code scanning alerts were manually dismissed.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "repo_id",
+      "alert_number",
+      "actor_id",
+      "request_id",
+      "actor",
+      "org_id",
+      "org",
+      "business_id",
+      "business",
+      "alert_numbers",
+      "dismissal_approver_id"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_closure_approved",
+    "description": "Dismissal of code scanning alerts was approved.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "dismissal_request_id",
+      "alert_number",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_closure_denied",
+    "description": "Dismissal of code scanning alerts was denied.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "dismissal_request_id",
+      "alert_number",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_closure_requested",
+    "description": "Dismissal of code scanning alerts was requested.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "dismissal_request_id",
+      "alert_number",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_created",
+    "description": "Code scanning alerts were seen for the first time.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "repo_id",
+      "alert_number",
+      "commit_oid",
+      "ref",
+      "request_id",
+      "org_id",
+      "org",
+      "alert_numbers"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_reappeared",
+    "description": "Code scanning alerts that were previously fixed reappeared.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "repo_id",
+      "alert_number",
+      "commit_oid",
+      "ref",
+      "request_id",
+      "org_id",
+      "org",
+      "business_id",
+      "business",
+      "alert_numbers"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_reopened_by_user",
+    "description": "Code scanning alerts that were previously dismissed were reopened.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "repo_id",
+      "alert_number",
+      "actor_id",
+      "request_id",
+      "actor",
+      "org_id",
+      "org",
+      "business_id",
+      "business",
+      "alert_numbers"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code.search",
+    "description": "A code search was run targeting an organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/search-github/github-code-search",
+    "fields": [
+      "@timestamp",
+      "action",
+      "actor_id",
+      "business_id",
+      "query",
+      "org_id",
+      "user_id",
+      "_document_id",
+      "search_string"
+    ],
+    "docs_reference_titles": "/search-github/github-code-search"
+  },
+  {
+    "action": "codespaces.allow_permissions",
+    "description": "A codespace using custom permissions from its devcontainer.json file was launched.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "origin_repository",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "codespaces.connect",
+    "description": "Credentials for a codespace were refreshed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repository_id",
+      "repository",
+      "pull_request_id",
+      "user_id",
+      "org_id",
+      "owner",
+      "name",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "machine_type",
+      "devcontainer_path"
+    ]
+  },
+  {
+    "action": "codespaces.create",
+    "description": "A codespace was created",
+    "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repository_id",
+      "repository",
+      "pull_request_id",
+      "owner",
+      "name",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "machine_type",
+      "devcontainer_path"
+    ],
+    "docs_reference_titles": "Creating a codespace for a repository"
+  },
+  {
+    "action": "codespaces.destroy",
+    "description": "A user deleted a codespace.",
+    "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repository_id",
+      "repository",
+      "pull_request_id",
+      "owner",
+      "name",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Deleting a codespace"
+  },
+  {
+    "action": "codespaces.export_environment",
+    "description": "A codespace was exported to a branch on GitHub.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "owner",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "public_repo"
+    ]
+  },
+  {
+    "action": "codespaces.restore",
+    "description": "A codespace was restored.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "codespaces.start_environment",
+    "description": "A codespace was started.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "org",
+      "owner",
+      "pull_request_id",
+      "machine_type",
+      "user_id",
+      "user",
+      "devcontainer_path",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "codespaces.suspend_environment",
+    "description": "A codespace was stopped.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "codespaces.trusted_repositories_access_update",
+    "description": "A personal account's access and security setting for Codespaces were updated.",
+    "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "business",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Managing access to other repositories within your codespace"
+  },
+  {
+    "action": "copilot.cfb_seat_added",
+    "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "token_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_assignment_created",
+    "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.",
+    "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "What is GitHub Copilot?"
+  },
+  {
+    "action": "copilot.cfb_seat_assignment_refreshed",
+    "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_assignment_reused",
+    "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_assignment_unassigned",
+    "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_cancelled",
+    "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "seat_assignment",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_cancelled_by_staff",
+    "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user_id",
+      "user",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "copilot.swe_agent_repo_disabled",
+    "description": "Specific repositories were disabled from using Copilot coding agent.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "org_id",
+      "owner_type",
+      "actor_id",
+      "owner",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "copilot.swe_agent_repo_enabled",
+    "description": "Specific repositories were enabled to use Copilot coding agent.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "org_id",
+      "owner_type",
+      "owner",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "copilot.swe_agent_repo_enablement_updated",
+    "description": "Copilot coding agent access was updated for the organization's or user's repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "new_access",
+      "old_access",
+      "org_id",
+      "owner_type",
+      "owner",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "custom_hosted_runner.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "runner_group_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "custom_hosted_runner.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "custom_hosted_runner.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "runner_group_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "custom_property_definition.create",
+    "description": "A new custom property definition was created.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "property_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "value_type",
+      "required",
+      "default_value",
+      "definition_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization"
+  },
+  {
+    "action": "custom_property_definition.destroy",
+    "description": "A custom property definition was deleted.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "property_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "value_type",
+      "required",
+      "default_value",
+      "definition_id",
+      "allowed_values"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization"
+  },
+  {
+    "action": "custom_property_definition.update",
+    "description": "A custom property definition was updated.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "property_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "value_type",
+      "required",
+      "default_value",
+      "old_allowed_values",
+      "allowed_values",
+      "definition_id",
+      "old_required",
+      "old_default_value",
+      "old_value_type",
+      "old_values_editable_by",
+      "values_editable_by",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization"
+  },
+  {
+    "action": "custom_property_value.create",
+    "description": "A repository's custom property value was manually set for the first time.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "definition_id",
+      "property_name",
+      "value",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization"
+  },
+  {
+    "action": "custom_property_value.destroy",
+    "description": "A repository's custom property value was deleted.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repository",
+      "repository_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization"
+  },
+  {
+    "action": "custom_property_value.update",
+    "description": "A repository's custom property value was updated.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repository",
+      "repository_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "definition_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization"
+  },
+  {
+    "action": "dependabot_alerts.disable",
+    "description": "Dependabot alerts were disabled for all existing repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories"
+  },
+  {
+    "action": "dependabot_alerts.enable",
+    "description": "Dependabot alerts were enabled for all existing repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories"
+  },
+  {
+    "action": "dependabot_alerts_new_repos.disable",
+    "description": "Dependabot alerts were disabled for all new repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added"
+  },
+  {
+    "action": "dependabot_alerts_new_repos.enable",
+    "description": "Dependabot alerts were enabled for all new repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added"
+  },
+  {
+    "action": "dependabot_repository_access.default_access_level_updated",
+    "description": "The default repository access for Dependabot was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "org",
+      "org_id",
+      "access_level",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "dependabot_repository_access.repositories_updated",
+    "description": "The repositories that Dependabot can access were updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "dependabot_security_updates.disable",
+    "description": "Dependabot security updates were disabled for all existing repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization"
+  },
+  {
+    "action": "dependabot_security_updates.enable",
+    "description": "Dependabot security updates were enabled for all existing repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "dependabot_security_updates_new_repos.disable",
+    "description": " Dependabot security updates were disabled for all new repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization"
+  },
+  {
+    "action": "dependabot_security_updates_new_repos.enable",
+    "description": "Dependabot security updates were enabled for all new repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "dependency_graph.disable",
+    "description": "The dependency graph was disabled for all existing repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization"
+  },
+  {
+    "action": "dependency_graph.enable",
+    "description": "The dependency graph was enabled for all existing repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "dependency_graph_new_repos.disable",
+    "description": "The dependency graph was disabled for all new repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization"
+  },
+  {
+    "action": "dependency_graph_new_repos.enable",
+    "description": "The dependency graph was enabled for all new repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "discussion_post.destroy",
+    "description": "Triggered when a team discussion post is deleted.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment",
+    "fields": [
+      "request_id",
+      "team",
+      "created_at",
+      "user_id",
+      "@timestamp",
+      "number",
+      "org",
+      "title",
+      "actor",
+      "actor_id",
+      "user",
+      "action",
+      "user_agent",
+      "operation_type",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment"
+  },
+  {
+    "action": "discussion_post_reply.destroy",
+    "description": "Triggered when a reply to a team discussion post is deleted.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment",
+    "fields": [
+      "actor_id",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "operation_type",
+      "user_id",
+      "actor",
+      "number",
+      "user",
+      "created_at",
+      "request_id",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment"
+  },
+  {
+    "action": "discussion_post_reply.update",
+    "description": "Triggered when a reply to a team discussion post is edited.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment",
+    "fields": [
+      "action",
+      "_document_id",
+      "request_id",
+      "org",
+      "@timestamp",
+      "actor_id",
+      "operation_type",
+      "user",
+      "user_id",
+      "org_id",
+      "user_agent",
+      "actor",
+      "number",
+      "team",
+      "created_at"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment"
+  },
+  {
+    "action": "discussion_post.update",
+    "description": "Triggered when a team discussion post is edited.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment",
+    "fields": [
+      "created_at",
+      "_document_id",
+      "title",
+      "user",
+      "user_agent",
+      "org",
+      "operation_type",
+      "actor_id",
+      "@timestamp",
+      "actor",
+      "team",
+      "action",
+      "org_id",
+      "request_id",
+      "user_id",
+      "number"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment"
+  },
+  {
+    "action": "enterprise_announcement.create",
+    "description": "A global announcement banner was created for the enterprise.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "owner",
+      "owner_type",
+      "business_id",
+      "message",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Customizing user messages for your enterprise"
+  },
+  {
+    "action": "enterprise_announcement.destroy",
+    "description": "A global announcement banner was removed from the enterprise.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "owner",
+      "owner_type",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Customizing user messages for your enterprise"
+  },
+  {
+    "action": "enterprise_announcement.update",
+    "description": "A global announcement banner was updated for the enterprise.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "owner",
+      "owner_type",
+      "business_id",
+      "message",
+      "old_message",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Customizing user messages for your enterprise"
+  },
+  {
+    "action": "enterprise.configure_self_hosted_jit_runner",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "token_id",
+      "token_scopes",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "enterprise_domain.approve",
+    "description": "A domain was approved for an enterprise.",
+    "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#approving-a-domain-for-your-enterprise-account",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner_type",
+      "domain_name",
+      "business_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Verifying or approving a domain for your enterprise"
+  },
+  {
+    "action": "enterprise_domain.create",
+    "description": "A domain was added to an enterprise.",
+    "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#verifying-a-domain-for-your-enterprise-account",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "owner_type",
+      "domain_name",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Verifying or approving a domain for your enterprise"
+  },
+  {
+    "action": "enterprise_domain.destroy",
+    "description": "A domain was removed from an enterprise.",
+    "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#removing-an-approved-or-verified-domain",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "owner_type",
+      "domain_name",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Verifying or approving a domain for your enterprise"
+  },
+  {
+    "action": "enterprise_domain.verify",
+    "description": "A domain was verified for an enterprise.",
+    "docs_reference_links": "/admin/configuration/configuring-your-enterprise/verifying-or-approving-a-domain-for-your-enterprise#verifying-a-domain-for-your-enterprise-account",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner_type",
+      "domain_name",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Verifying or approving a domain for your enterprise"
+  },
+  {
+    "action": "enterprise.register_self_hosted_runner",
+    "description": "A new GitHub Actions self-hosted runner was registered.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Adding self-hosted runners"
+  },
+  {
+    "action": "enterprise.remove_self_hosted_runner",
+    "description": "A GitHub Actions self-hosted runner was removed.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Removing self-hosted runners"
+  },
+  {
+    "action": "enterprise.runner_group_created",
+    "description": "A GitHub Actions self-hosted runner group was created.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "runner_group_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "runner_group_restricted_to_workflows"
+    ],
+    "docs_reference_titles": "Removing self-hosted runners"
+  },
+  {
+    "action": "enterprise.runner_group_removed",
+    "description": "A GitHub Actions self-hosted runner group was removed.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "runner_group_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Managing access to self-hosted runners using groups"
+  },
+  {
+    "action": "enterprise.runner_group_runner_removed",
+    "description": "The REST API was used to remove a GitHub Actions self-hosted runner from a group.",
+    "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "runner_group_id",
+      "runner_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization"
+  },
+  {
+    "action": "enterprise.runner_group_runners_added",
+    "description": "A GitHub Actions self-hosted runner was added to a group.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "runner_group_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing access to self-hosted runners using groups"
+  },
+  {
+    "action": "enterprise.runner_group_runners_updated",
+    "description": "A GitHub Actions runner group's list of members was updated.",
+    "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "runner_group_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization"
+  },
+  {
+    "action": "enterprise.runner_group_updated",
+    "description": "The configuration of a GitHub Actions self-hosted runner group was changed.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "runner_group_id",
+      "runner_group_name",
+      "runner_group_allow_public",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "runner_group_restricted_to_workflows",
+      "runner_group_selected_workflow_refs",
+      "network_configuration_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing access to self-hosted runners using groups"
+  },
+  {
+    "action": "enterprise.self_hosted_runner_offline",
+    "description": "The GitHub Actions runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner",
+    "fields": [
+      "business_id",
+      "runner_id",
+      "runner_name",
+      "action",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners"
+  },
+  {
+    "action": "enterprise.self_hosted_runner_online",
+    "description": "The GitHub Actions runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner",
+    "fields": [
+      "business_id",
+      "runner_id",
+      "runner_name",
+      "action",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners"
+  },
+  {
+    "action": "enterprise.self_hosted_runner_updated",
+    "description": "The GitHub Actions runner application was updated. This event is not included in the JSON/CSV export.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners",
+    "fields": [
+      "business_id",
+      "runner_id",
+      "runner_name",
+      "source_version",
+      "target_version",
+      "runner_group_id",
+      "runner_group_name",
+      "action",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Self-hosted runners"
+  },
+  {
+    "action": "enterprise_team.add_member",
+    "description": "A new member was added to the enterprise team or an IdP group linked to an enterprise team, or an IdP group was linked to an enterprise team.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user_id",
+      "business_id",
+      "enterprise_team_id",
+      "enterprise_team",
+      "user",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "enterprise_team.copilot_assignment",
+    "description": "A license for GitHub Copilot was assigned to an enterprise team.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business_id",
+      "enterprise_team_id",
+      "enterprise_team",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "enterprise_team.copilot_unassignment",
+    "description": "A license for GitHub Copilot was unassigned from an enterprise team.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business_id",
+      "enterprise_team_id",
+      "enterprise_team",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "enterprise_team.create",
+    "description": "A new enterprise team was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business_id",
+      "enterprise_team_id",
+      "enterprise_team",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "enterprise_team.destroy",
+    "description": "An enterprise team was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business_id",
+      "enterprise_team_id",
+      "enterprise_team",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "enterprise_team.remove_member",
+    "description": "A member was removed from the enterprise team or an IdP group linked to an enterprise team, or an IdP group was unlinked from an enterprise team.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user_id",
+      "business_id",
+      "enterprise_team_id",
+      "enterprise_team",
+      "user",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "enterprise_team.rename",
+    "description": "The name of an enterprise team was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "business_id",
+      "enterprise_team_id",
+      "enterprise_team",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "environment.add_protection_rule",
+    "description": "A GitHub Actions deployment protection rule was created via the API.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "environment_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "environment.create_actions_secret",
+    "description": "A secret was created for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "key",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.create_actions_variable",
+    "description": "A variable was created for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "environment_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "environment.delete",
+    "description": "An environment was deleted.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.remove_actions_secret",
+    "description": "A secret was deleted for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "key",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "public_repo",
+      "token_scopes",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.remove_actions_variable",
+    "description": "A variable was deleted for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "environment_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "environment.remove_protection_rule",
+    "description": "A GitHub Actions deployment protection rule was deleted via the API.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.update_actions_secret",
+    "description": "A secret was updated for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "key",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.update_actions_variable",
+    "description": "A variable was updated for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "environment_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "environment.update_protection_rule",
+    "description": "A GitHub Actions deployment protection rule was updated via the API.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "new_value",
+      "approvers_was",
+      "approvers",
+      "programmatic_access_type",
+      "can_admins_bypass",
+      "prevent_self_review"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "external_group.add_member",
+    "description": "A user was added to an external group.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "external_group",
+      "external_group_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "scim_group_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "external_group.delete",
+    "description": "An external group was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "token_scopes",
+      "scim_group_id"
+    ]
+  },
+  {
+    "action": "external_group.link",
+    "description": "An external group was linked to a GitHub team.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "external_group_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "external_group",
+      "programmatic_access_type",
+      "scim_group_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "external_group.provision",
+    "description": "An external group was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "external_group.remove_member",
+    "description": "A user was removed from an external group.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "external_group",
+      "external_group_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "external_group.scim_api_failure",
+    "description": "Failed external group SCIM API request.",
+    "docs_reference_links": "/rest/scim/scim",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "request_method",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "query_string",
+      "api_request_body",
+      "route",
+      "status_code",
+      "url_path",
+      "scim_group_id",
+      "message",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "REST API endpoints for SCIM"
+  },
+  {
+    "action": "external_group.scim_api_success",
+    "description": "Successful external group SCIM API request. Excludes GET API requests.",
+    "docs_reference_links": "/rest/scim/scim",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "request_method",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "query_string",
+      "api_request_body",
+      "route",
+      "status_code",
+      "url_path",
+      "scim_group_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "REST API endpoints for SCIM"
+  },
+  {
+    "action": "external_group.unlink",
+    "description": "An external group was unlinked to a GitHub team.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "external_group_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "external_group"
+    ]
+  },
+  {
+    "action": "external_group.update",
+    "description": "An external group was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "scim_group_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "external_group.update_display_name",
+    "description": "An external group's display name was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "external_group_id",
+      "external_group",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "scim_group_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "external_identity.deprovision",
+    "description": "An external identity was deprovisioned, suspending the linked GitHub user.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "action",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "external_identity.provision",
+    "description": "An external identity was created and linked to a GitHub user.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "action",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "scim_user_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "external_identity.scim_api_failure",
+    "description": "Failed external identity SCIM API request.",
+    "docs_reference_links": "/rest/scim/scim",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "request_method",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "query_string",
+      "api_request_body",
+      "route",
+      "status_code",
+      "url_path",
+      "scim_user_id",
+      "message",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "REST API endpoints for SCIM"
+  },
+  {
+    "action": "external_identity.scim_api_success",
+    "description": "Successful external identity SCIM API request. Excludes GET API requests.",
+    "docs_reference_links": "/rest/scim/scim",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "request_method",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "query_string",
+      "api_request_body",
+      "route",
+      "status_code",
+      "url_path",
+      "scim_user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "REST API endpoints for SCIM"
+  },
+  {
+    "action": "external_identity.update",
+    "description": "An external identity was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "action",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "scim_user_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "gist.create",
+    "description": "A gist was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "user_id",
+      "user",
+      "gist_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "actor_id",
+      "visibility",
+      "action",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "gist.destroy",
+    "description": "A gist was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "gist_id",
+      "visibility",
+      "created_at",
+      "_document_id",
+      "user",
+      "request_id",
+      "operation_type",
+      "actor",
+      "actor_id",
+      "action",
+      "user_agent",
+      "@timestamp",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "gist.visibility_change",
+    "description": "The visibility of a gist was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "actor",
+      "user",
+      "gist_id",
+      "actor_id",
+      "request_id",
+      "visibility",
+      "user_id",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "git.clone",
+    "description": "A repository was cloned. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "transport_protocol",
+      "request_id",
+      "repository",
+      "repository_id",
+      "repository_public",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "user",
+      "user_id",
+      "transport_protocol_name"
+    ]
+  },
+  {
+    "action": "git.fetch",
+    "description": "Changes were fetched from a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "transport_protocol",
+      "request_id",
+      "repository",
+      "repository_id",
+      "repository_public",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "user",
+      "user_id",
+      "transport_protocol_name"
+    ]
+  },
+  {
+    "action": "git.push",
+    "description": "Changes were pushed to a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "transport_protocol",
+      "request_id",
+      "repository",
+      "repository_id",
+      "repository_public",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "user",
+      "user_id",
+      "transport_protocol_name"
+    ]
+  },
+  {
+    "action": "git_signing_ssh_public_key.create",
+    "description": "An SSH key was added to a user account as a Git commit signing key.",
+    "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "key",
+      "fingerprint",
+      "user_id",
+      "user",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key"
+  },
+  {
+    "action": "git_signing_ssh_public_key.delete",
+    "description": "An SSH key was removed from a user account as a Git commit signing key.",
+    "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "key",
+      "fingerprint",
+      "user_id",
+      "explanation",
+      "user",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key"
+  },
+  {
+    "action": "github_hosted_runner.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "runner_group_id",
+      "business",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "github_hosted_runner.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "github_hosted_runner.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "runner_group_id",
+      "business",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "gpg_key.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor_id",
+      "created_at",
+      "user_id",
+      "@timestamp",
+      "user",
+      "operation_type",
+      "_document_id",
+      "actor",
+      "action",
+      "user_agent",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "gpg_key.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "operation_type",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "action",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "@timestamp",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "hook.active_changed",
+    "description": "A hook's active status was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "name",
+      "events",
+      "active",
+      "active_was",
+      "hook_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "hook.config_changed",
+    "description": "A hook's configuration was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "actor",
+      "name",
+      "org",
+      "user_agent",
+      "request_id",
+      "hook_id",
+      "repo",
+      "repo_id",
+      "created_at",
+      "oauth_application_id",
+      "action",
+      "events",
+      "org_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "hook.create",
+    "description": "A new hook was added.",
+    "docs_reference_links": "/get-started/exploring-integrations/about-webhooks",
+    "fields": [
+      "oauth_application",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "repo_id",
+      "request_id",
+      "hook_id",
+      "events",
+      "repo",
+      "@timestamp",
+      "operation_type",
+      "name",
+      "action",
+      "created_at",
+      "org_id",
+      "org",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "About webhooks"
+  },
+  {
+    "action": "hook.destroy",
+    "description": "A hook was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "events",
+      "repo",
+      "created_at",
+      "org",
+      "name",
+      "request_id",
+      "actor_id",
+      "repo_id",
+      "org_id",
+      "action",
+      "operation_type",
+      "oauth_application_id",
+      "user_agent",
+      "hook_id",
+      "@timestamp",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "hook.events_changed",
+    "description": "A hook's configured events were changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "events",
+      "repo",
+      "operation_type",
+      "action",
+      "_document_id",
+      "actor_id",
+      "name",
+      "events_were",
+      "@timestamp",
+      "created_at",
+      "hook_id",
+      "repo_id",
+      "org_id",
+      "org",
+      "user_agent",
+      "request_id",
+      "oauth_application_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "integration.create",
+    "description": "A GitHub App was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "actor",
+      "user_agent",
+      "actor_id",
+      "request_id",
+      "name",
+      "user_id",
+      "_document_id",
+      "integration",
+      "created_at",
+      "programmatic_access_type",
+      "request_access_security_header",
+      "application_client_id"
+    ]
+  },
+  {
+    "action": "integration.destroy",
+    "description": "A GitHub App was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "user_id",
+      "actor_id",
+      "request_id",
+      "@timestamp",
+      "name",
+      "integration",
+      "user",
+      "_document_id",
+      "action",
+      "operation_type",
+      "created_at",
+      "user_agent"
+    ]
+  },
+  {
+    "action": "integration.generate_client_secret",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "integration",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header",
+      "application_client_id"
+    ]
+  },
+  {
+    "action": "integration_installation.create",
+    "description": "A GitHub App was installed.",
+    "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps",
+    "fields": [
+      "operation_type",
+      "@timestamp",
+      "name",
+      "request_id",
+      "repository_selection",
+      "user_id",
+      "action",
+      "user_agent",
+      "user",
+      "created_at",
+      "integration",
+      "_document_id",
+      "programmatic_access_type",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps"
+  },
+  {
+    "action": "integration_installation.destroy",
+    "description": "A GitHub App was uninstalled.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access",
+    "fields": [
+      "@timestamp",
+      "request_id",
+      "actor",
+      "created_at",
+      "_document_id",
+      "repository_selection",
+      "integration",
+      "user_id",
+      "user",
+      "action",
+      "operation_type",
+      "name",
+      "actor_id",
+      "user_agent",
+      "programmatic_access_type",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access"
+  },
+  {
+    "action": "integration_installation.repositories_added",
+    "description": "Repositories were added to a GitHub App.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access",
+    "fields": [
+      "user_id",
+      "repository_selection",
+      "name",
+      "user",
+      "request_id",
+      "integration",
+      "operation_type",
+      "actor_id",
+      "action",
+      "repositories_added",
+      "created_at",
+      "_document_id",
+      "@timestamp",
+      "actor",
+      "user_agent",
+      "token_scopes",
+      "repositories_added_names",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access"
+  },
+  {
+    "action": "integration_installation.repositories_removed",
+    "description": "Repositories were removed from a GitHub App.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access",
+    "fields": [
+      "user",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "repository_selection",
+      "repositories_removed",
+      "integration",
+      "user_id",
+      "created_at",
+      "_document_id",
+      "request_id",
+      "@timestamp",
+      "name",
+      "action",
+      "actor_id",
+      "repositories_removed_names",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access"
+  },
+  {
+    "action": "integration_installation_request.close",
+    "description": "A request to install a GitHub App was either approved or denied by an owner, or canceled by the member who opened the request.",
+    "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner",
+    "fields": [
+      "url",
+      "actor",
+      "actor_id",
+      "created_at",
+      "request_id",
+      "operation_type",
+      "@timestamp",
+      "integration",
+      "action",
+      "user_agent",
+      "reason",
+      "_document_id",
+      "org",
+      "org_id",
+      "request_access_security_header",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner"
+  },
+  {
+    "action": "integration_installation_request.create",
+    "description": "A member requested that an owner install a GitHub App.",
+    "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner",
+    "fields": [
+      "@timestamp",
+      "actor_id",
+      "org",
+      "_document_id",
+      "requester",
+      "action",
+      "user_agent",
+      "created_at",
+      "url",
+      "org_id",
+      "request_id",
+      "operation_type",
+      "actor",
+      "integration",
+      "request_access_security_header",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner"
+  },
+  {
+    "action": "integration_installation.suspend",
+    "description": "A GitHub App was suspended.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "name",
+      "repository_selection",
+      "actor_id",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access"
+  },
+  {
+    "action": "integration_installation.unsuspend",
+    "description": "A GitHub App was unsuspended.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "name",
+      "repository_selection",
+      "actor_id",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access"
+  },
+  {
+    "action": "integration_installation.version_updated",
+    "description": "Permissions for a GitHub App were updated.",
+    "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app",
+    "fields": [
+      "integration",
+      "user_id",
+      "user_agent",
+      "name",
+      "user",
+      "operation_type",
+      "actor_id",
+      "action",
+      "_document_id",
+      "request_id",
+      "created_at",
+      "repository_selection",
+      "@timestamp",
+      "actor",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app"
+  },
+  {
+    "action": "integration.manager_added",
+    "description": "A member of an enterprise or organization was added as a GitHub App manager.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization",
+    "fields": [
+      "created_at",
+      "action",
+      "_document_id",
+      "name",
+      "org_id",
+      "manager",
+      "operation_type",
+      "actor",
+      "integration",
+      "org",
+      "@timestamp",
+      "actor_id",
+      "request_id",
+      "user_agent"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization"
+  },
+  {
+    "action": "integration.manager_removed",
+    "description": "A member of an enterprise or organization was removed from being a GitHub App manager.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor_id",
+      "org",
+      "operation_type",
+      "integration",
+      "org_id",
+      "_document_id",
+      "action",
+      "actor",
+      "name",
+      "created_at",
+      "manager",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization"
+  },
+  {
+    "action": "integration.remove_client_secret",
+    "description": "A client secret for a GitHub App was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "integration.revoke_all_tokens",
+    "description": "All user tokens for a GitHub App were requested to be revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "application_client_id"
+    ]
+  },
+  {
+    "action": "integration.revoke_tokens",
+    "description": "Token(s) for a GitHub App were revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "application_client_id"
+    ]
+  },
+  {
+    "action": "integration.suspend",
+    "description": "A GitHub App was suspended.",
+    "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation"
+  },
+  {
+    "action": "integration.transfer",
+    "description": "Ownership of a GitHub App was transferred to another user or organization.",
+    "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app",
+    "fields": [
+      "@timestamp",
+      "user_id",
+      "name",
+      "transfer_to_id",
+      "user",
+      "requester",
+      "action",
+      "requester_id",
+      "actor_id",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "transfer_to",
+      "operation_type",
+      "request_id",
+      "actor",
+      "integration",
+      "transfer_from",
+      "transfer_from_id",
+      "transfer_from_type",
+      "transfer_to_type"
+    ],
+    "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app"
+  },
+  {
+    "action": "integration.unsuspend",
+    "description": "A GitHub App was unsuspended.",
+    "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation"
+  },
+  {
+    "action": "ip_allow_list.disable",
+    "description": "An IP allow list was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "actor",
+      "request_id",
+      "org",
+      "user_agent",
+      "_document_id",
+      "user_id",
+      "actor_id",
+      "created_at",
+      "org_id",
+      "action",
+      "@timestamp",
+      "user"
+    ]
+  },
+  {
+    "action": "ip_allow_list.disable_for_installed_apps",
+    "description": "An IP allow list was disabled for installed GitHub Apps.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "ip_allow_list.disable_user_level_enforcement",
+    "description": "IP allow list user level enforcement was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "ip_allow_list.enable",
+    "description": "An IP allow list was enabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "business",
+      "user_id",
+      "request_id",
+      "actor",
+      "user",
+      "business_id",
+      "_document_id",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "actor_id",
+      "operation_type",
+      "org",
+      "created_at"
+    ]
+  },
+  {
+    "action": "ip_allow_list.enable_for_installed_apps",
+    "description": "An IP allow list was enabled for installed GitHub Apps.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "ip_allow_list.enable_user_level_enforcement",
+    "description": "IP allow list user level enforcement was enabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "ip_allow_list_entry.create",
+    "description": "An IP address was added to an IP allow list.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "active",
+      "org",
+      "ip_allow_list_entry",
+      "@timestamp",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "action",
+      "request_id",
+      "actor_id",
+      "business_id",
+      "org_id",
+      "business",
+      "actor",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "ip_allow_list_entry.destroy",
+    "description": "An IP address was deleted from an IP allow list.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "request_id",
+      "ip_allow_list_entry",
+      "org",
+      "operation_type",
+      "created_at",
+      "active",
+      "action",
+      "@timestamp",
+      "business",
+      "business_id",
+      "user_agent",
+      "org_id",
+      "actor",
+      "actor_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "ip_allow_list_entry.update",
+    "description": "An IP address or its description was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "_document_id",
+      "actor",
+      "org",
+      "action",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "actor_id",
+      "ip_allow_list_entry",
+      "active",
+      "org_id",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocked_by_add",
+    "description": "An issue was marked as blocked by another issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocked_by_remove",
+    "description": "The blocked by relationship between an issue and another issue was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "org",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocking_add",
+    "description": "An issue was marked as blocking another issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocking_remove",
+    "description": "The blocking relationship between an issue and another issue was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "marketplace_agreement_signature.create",
+    "description": "The GitHub Marketplace Developer Agreement was signed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "operation_type",
+      "created_at",
+      "action",
+      "user",
+      "user_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "marketplace_listing.approve",
+    "description": "A listing was approved for inclusion in GitHub Marketplace.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "secondary_category",
+      "actor",
+      "primary_category",
+      "user",
+      "@timestamp",
+      "_document_id",
+      "user_id",
+      "user_agent",
+      "operation_type",
+      "created_at",
+      "request_id",
+      "actor_id",
+      "marketplace_listing",
+      "integration",
+      "action"
+    ]
+  },
+  {
+    "action": "marketplace_listing.change_category",
+    "description": "A category for a listing for an app in GitHub Marketplace was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "primary_category",
+      "user_agent",
+      "request_id",
+      "actor",
+      "marketplace_listing",
+      "@timestamp",
+      "integration",
+      "org_id",
+      "action",
+      "org",
+      "secondary_category",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "marketplace_listing.create",
+    "description": "A listing for an app in GitHub Marketplace was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "primary_category",
+      "_document_id",
+      "user",
+      "created_at",
+      "user_agent",
+      "oauth_application",
+      "action",
+      "request_id",
+      "marketplace_listing",
+      "user_id",
+      "secondary_category",
+      "oauth_application_id",
+      "actor",
+      "actor_id",
+      "operation_type",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "marketplace_listing.delist",
+    "description": "A listing was removed from GitHub Marketplace.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org",
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org_id",
+      "created_at",
+      "secondary_category",
+      "operation_type",
+      "marketplace_listing",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "primary_category",
+      "integration"
+    ]
+  },
+  {
+    "action": "marketplace_listing_plan.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "created_at",
+      "actor",
+      "action",
+      "operation_type",
+      "marketplace_listing",
+      "has_free_trial",
+      "user_agent",
+      "request_id",
+      "actor_id",
+      "yearly_price_in_cents",
+      "description",
+      "bullets",
+      "monthly_price_in_cents",
+      "marketplace_listing_plan",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "marketplace_listing_plan.publish",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "marketplace_listing_plan",
+      "marketplace_listing",
+      "description",
+      "bullets",
+      "has_free_trial",
+      "created_at",
+      "actor_id",
+      "operation_type",
+      "_document_id",
+      "action",
+      "user_agent",
+      "request_id",
+      "actor",
+      "monthly_price_in_cents",
+      "yearly_price_in_cents",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "marketplace_listing_plan.retire",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "marketplace_listing_plan",
+      "_document_id",
+      "request_id",
+      "description",
+      "yearly_price_in_cents",
+      "@timestamp",
+      "created_at",
+      "actor_id",
+      "bullets",
+      "has_free_trial",
+      "marketplace_listing",
+      "user_agent",
+      "monthly_price_in_cents",
+      "action",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "marketplace_listing_plan.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "monthly_price_in_cents",
+      "marketplace_listing",
+      "_document_id",
+      "action",
+      "description",
+      "bullets",
+      "yearly_price_in_cents",
+      "request_id",
+      "actor_id",
+      "has_free_trial",
+      "marketplace_listing_plan",
+      "user_agent",
+      "@timestamp",
+      "operation_type",
+      "actor",
+      "created_at"
+    ]
+  },
+  {
+    "action": "marketplace_listing.redraft",
+    "description": "A listing was sent back to draft state.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "secondary_category",
+      "oauth_application_id",
+      "@timestamp",
+      "action",
+      "user_agent",
+      "user_id",
+      "operation_type",
+      "oauth_application",
+      "actor",
+      "created_at",
+      "marketplace_listing",
+      "request_id",
+      "actor_id",
+      "primary_category",
+      "user"
+    ]
+  },
+  {
+    "action": "marketplace_listing.reject",
+    "description": "A listing was not accepted for inclusion in GitHub Marketplace.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "primary_category",
+      "secondary_category",
+      "marketplace_listing",
+      "oauth_application",
+      "oauth_application_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "merge_queue.pull_request_dequeued",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "public_repo",
+      "repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "merge_queue.pull_request_queue_jump",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "token_id",
+      "token_scopes",
+      "repo_id",
+      "public_repo",
+      "repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "merge_queue.queue_cleared",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "public_repo",
+      "repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "merge_queue.update_settings",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "max_entries_to_build",
+      "min_entries_to_merge",
+      "repo_id",
+      "public_repo",
+      "repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "metered_billing_configuration.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "@timestamp",
+      "_document_id",
+      "user_id",
+      "action",
+      "operation_type",
+      "created_at",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "metered_billing_configuration.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "metered_billing_configuration.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "action",
+      "org",
+      "created_at",
+      "operation_type",
+      "org_id",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "request_id",
+      "actor",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "migration.create",
+    "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "org_id",
+      "_document_id",
+      "org",
+      "repo_id",
+      "action",
+      "actor",
+      "created_at",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "actor_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "oauth_access.create",
+    "description": "An OAuth access token was generated.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, /authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token",
+    "fields": [
+      "_document_id",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "@timestamp",
+      "user",
+      "user_id",
+      "created_at",
+      "action",
+      "actor_id",
+      "request_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header",
+      "oauth_application_name"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens"
+  },
+  {
+    "action": "oauth_access.destroy",
+    "description": "An OAuth access token was deleted.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps",
+    "fields": [
+      "@timestamp",
+      "user_agent",
+      "action",
+      "operation_type",
+      "_document_id",
+      "actor",
+      "created_at",
+      "user",
+      "user_id",
+      "request_id",
+      "explanation",
+      "hashed_token",
+      "actor_id",
+      "token_scopes",
+      "oauth_application_name"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps"
+  },
+  {
+    "action": "oauth_access.regenerate",
+    "description": "An OAuth access token was regenerated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "user_id",
+      "_document_id",
+      "created_at",
+      "@timestamp",
+      "operation_type",
+      "action",
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "oauth_application_name"
+    ]
+  },
+  {
+    "action": "oauth_access.revoke",
+    "description": "An OAuth access token was revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "request_access_security_header",
+      "hashed_token",
+      "token_id",
+      "token_scopes",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "oauth_access.update",
+    "description": "An OAuth access token was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor_id",
+      "actor",
+      "operation_type",
+      "_document_id",
+      "user_id",
+      "created_at",
+      "action",
+      "@timestamp",
+      "user",
+      "user_agent",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "oauth_application.create",
+    "description": "An OAuth application was created.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "org",
+      "created_at",
+      "oauth_application_id",
+      "operation_type",
+      "user_agent",
+      "actor_id",
+      "org_id",
+      "action",
+      "actor",
+      "oauth_application",
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.destroy",
+    "description": "An OAuth application was deleted.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "created_at",
+      "oauth_application_id",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "oauth_application",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "request_id",
+      "action",
+      "user",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.generate_client_secret",
+    "description": "An OAuth application's secret key was generated.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application",
+      "oauth_application_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.remove_client_secret",
+    "description": "An OAuth application's secret key was deleted.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application",
+      "oauth_application_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.reset_secret",
+    "description": "The secret key for an OAuth application was reset.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "user",
+      "user_id",
+      "action",
+      "oauth_application",
+      "operation_type",
+      "request_id",
+      "actor_id",
+      "_document_id",
+      "created_at",
+      "actor",
+      "oauth_application_id",
+      "@timestamp",
+      "user_agent"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.revoke_all_tokens",
+    "description": "All user tokens for an OAuth application were requested to be revoked.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application",
+      "oauth_application_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.revoke_tokens",
+    "description": "Token(s) for an OAuth application were revoked.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "oauth_application_id",
+      "oauth_application",
+      "actor_id",
+      "user_agent",
+      "@timestamp",
+      "request_id",
+      "user_id",
+      "action",
+      "_document_id",
+      "actor",
+      "user",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.suspend",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "user_agent",
+      "org_id",
+      "org",
+      "operation_type",
+      "oauth_application_id",
+      "action",
+      "created_at",
+      "actor",
+      "actor_id",
+      "oauth_application",
+      "_document_id",
+      "request_id"
+    ]
+  },
+  {
+    "action": "oauth_application.transfer",
+    "description": "An OAuth application was transferred from one account to another.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "actor",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "oauth_application",
+      "actor_id",
+      "oauth_application_id",
+      "@timestamp",
+      "user_id",
+      "_document_id",
+      "request_id",
+      "user",
+      "action"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.unsuspend",
+    "description": "An OAuth application was unsuspended for a user or organization account.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "operation_type",
+      "org_id",
+      "action",
+      "oauth_application_id",
+      "oauth_application",
+      "org",
+      "created_at",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_authorization.create",
+    "description": "An authorization for an OAuth application was created.",
+    "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps",
+    "fields": [
+      "operation_type",
+      "user_agent",
+      "user_id",
+      "actor",
+      "org_id",
+      "_document_id",
+      "request_id",
+      "action",
+      "@timestamp",
+      "created_at",
+      "actor_id",
+      "user",
+      "business",
+      "business_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header",
+      "oauth_application_name"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps"
+  },
+  {
+    "action": "oauth_authorization.destroy",
+    "description": "An authorization for an OAuth application was deleted.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-your-authorized-integrations",
+    "fields": [
+      "user_agent",
+      "_document_id",
+      "request_id",
+      "operation_type",
+      "@timestamp",
+      "actor",
+      "created_at",
+      "explanation",
+      "user",
+      "user_id",
+      "org_id",
+      "action",
+      "actor_id",
+      "token_scopes",
+      "actor_is_bot",
+      "oauth_application_name"
+    ],
+    "docs_reference_titles": "Reviewing and revoking authorization of GitHub Apps"
+  },
+  {
+    "action": "oauth_authorization.update",
+    "description": "An authorization for an OAuth application was updated.",
+    "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps",
+    "fields": [
+      "org_id",
+      "request_id",
+      "user_id",
+      "actor",
+      "actor_id",
+      "user_agent",
+      "@timestamp",
+      "operation_type",
+      "action",
+      "user",
+      "created_at",
+      "_document_id",
+      "actor_is_bot",
+      "request_access_security_header",
+      "oauth_application_name"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps"
+  },
+  {
+    "action": "org.accept_business_invitation",
+    "description": "An invitation sent to an organization to join an enterprise was accepted.",
+    "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Adding organizations to your enterprise"
+  },
+  {
+    "action": "org.add_billing_manager",
+    "description": "A billing manager was added to an organization.",
+    "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization",
+    "fields": [
+      "operation_type",
+      "_document_id",
+      "user_agent",
+      "org",
+      "user_id",
+      "action",
+      "created_at",
+      "org_id",
+      "user",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "request_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization"
+  },
+  {
+    "action": "org.add_member",
+    "description": "A user joined an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "permission",
+      "_document_id",
+      "org",
+      "operation_type",
+      "request_id",
+      "actor",
+      "user",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "org_id",
+      "user_id",
+      "actor_id",
+      "action",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "org.add_outside_collaborator",
+    "description": "An outside collaborator was added to a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "inviter",
+      "org",
+      "org_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "permission",
+      "invitee",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.add_security_manager",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org_id",
+      "org",
+      "team",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "org.advanced_security_disabled_for_new_repos",
+    "description": "GitHub Advanced Security was disabled for new repositories in an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "token_scopes"
+    ]
+  },
+  {
+    "action": "org.advanced_security_disabled_on_all_repos",
+    "description": "GitHub Advanced Security was disabled for all repositories in an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes"
+    ]
+  },
+  {
+    "action": "org.advanced_security_enabled_for_new_repos",
+    "description": "GitHub Advanced Security was enabled for new repositories in an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "token_scopes"
+    ]
+  },
+  {
+    "action": "org.advanced_security_enabled_on_all_repos",
+    "description": "GitHub Advanced Security was enabled for all repositories in an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes"
+    ]
+  },
+  {
+    "action": "org.advanced_security_entity_policy_update",
+    "description": "An enterprise owner updated the GitHub Advanced Security access policy for repositories owned by the organization.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "new_policy",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise"
+  },
+  {
+    "action": "org.advanced_security_policy_selected_member_disabled",
+    "description": "An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise"
+  },
+  {
+    "action": "org.advanced_security_policy_selected_member_enabled",
+    "description": "An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise"
+  },
+  {
+    "action": "org.async_delete",
+    "description": "A user initiated a background job to delete an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "actor",
+      "actor_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "request_id",
+      "org",
+      "org_id",
+      "user_agent",
+      "created_at"
+    ]
+  },
+  {
+    "action": "org.billing_signup_error",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "request_id",
+      "user_agent",
+      "action",
+      "@timestamp",
+      "actor_id",
+      "org_id",
+      "_document_id",
+      "actor",
+      "org",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.block_user",
+    "description": "An organization owner blocked a user from accessing the organization's repositories.",
+    "docs_reference_links": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization",
+    "fields": [
+      "actor",
+      "user_agent",
+      "org_id",
+      "created_at",
+      "_document_id",
+      "blocked_user",
+      "action",
+      "operation_type",
+      "actor_id",
+      "org",
+      "@timestamp",
+      "request_id"
+    ],
+    "docs_reference_titles": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization"
+  },
+  {
+    "action": "org.cancel_business_invitation",
+    "description": "An invitation for an organization to join an enterprise was revoked",
+    "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "initiated_from"
+    ],
+    "docs_reference_titles": "Adding organizations to your enterprise"
+  },
+  {
+    "action": "org.cancel_invitation",
+    "description": "An invitation sent to a user to join an organization was revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "org_id",
+      "request_id",
+      "email",
+      "@timestamp",
+      "actor",
+      "action",
+      "operation_type",
+      "user_agent",
+      "org",
+      "invitation_id",
+      "_document_id",
+      "created_at",
+      "invitee_email",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "org.clear_custom_invitation_rate_limit",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "org.code_scanning_autofix_disabled",
+    "description": "Autofix for code scanning alerts was disabled for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.code_scanning_autofix_enabled",
+    "description": "Autofix for code scanning alerts was enabled for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.code_scanning_autofix_third_party_tools_disabled",
+    "description": "Autofix for third party tools for code scanning alerts was disabled for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.code_scanning_autofix_third_party_tools_enabled",
+    "description": "Autofix for third party tools for code scanning alerts was enabled for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.codeql_disabled",
+    "description": "Code scanning using the default setup was disabled for an organization.",
+    "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale"
+  },
+  {
+    "action": "org.codeql_enabled",
+    "description": "Code scanning using the default setup was enabled for an organization.",
+    "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale"
+  },
+  {
+    "action": "org.config.disable_collaborators_only",
+    "description": "The interaction limit for collaborators only for an organization was disabled.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization",
+    "fields": [
+      "request_id",
+      "org",
+      "action",
+      "operation_type",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "user_agent",
+      "org_id",
+      "created_at"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization"
+  },
+  {
+    "action": "org.config.disable_contributors_only",
+    "description": "The interaction limit for prior contributors only for an organization was disabled.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization",
+    "fields": [
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "action",
+      "actor_id",
+      "org",
+      "_document_id",
+      "actor",
+      "org_id",
+      "request_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization"
+  },
+  {
+    "action": "org.config.disable_sockpuppet_disallowed",
+    "description": "The interaction limit for existing users only for an organization was disabled.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization",
+    "fields": [
+      "_document_id",
+      "operation_type",
+      "actor_id",
+      "org_id",
+      "action",
+      "created_at",
+      "actor",
+      "org",
+      "@timestamp",
+      "user_agent",
+      "request_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization"
+  },
+  {
+    "action": "org.config.enable_collaborators_only",
+    "description": "The interaction limit for collaborators only for an organization was enabled.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization",
+    "fields": [
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "actor_id",
+      "actor",
+      "org",
+      "org_id",
+      "request_id",
+      "operation_type",
+      "action",
+      "user_agent"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization"
+  },
+  {
+    "action": "org.config.enable_contributors_only",
+    "description": "The interaction limit for prior contributors only for an organization was enabled.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "org",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization"
+  },
+  {
+    "action": "org.config.enable_sockpuppet_disallowed",
+    "description": "The interaction limit for existing users only for an organization was enabled.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization",
+    "fields": [
+      "actor_id",
+      "request_id",
+      "action",
+      "created_at",
+      "user_agent",
+      "actor",
+      "_document_id",
+      "org_id",
+      "operation_type",
+      "org",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization"
+  },
+  {
+    "action": "org.configure_self_hosted_jit_runner",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.confirm_business_invitation",
+    "description": "An invitation for an organization to join an enterprise was confirmed.",
+    "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Adding organizations to your enterprise"
+  },
+  {
+    "action": "org.create",
+    "description": "An organization was created.",
+    "docs_reference_links": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch",
+    "fields": [
+      "request_id",
+      "org",
+      "actor_id",
+      "actor",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "operation_type",
+      "org_id",
+      "created_at",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch"
+  },
+  {
+    "action": "org.delete",
+    "description": "An organization was deleted by a user or staff.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "@timestamp",
+      "_document_id",
+      "created_at",
+      "actor",
+      "org_id",
+      "org",
+      "action",
+      "actor_id",
+      "operation_type",
+      "request_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.disable_member_team_creation_permission",
+    "description": "Team creation was limited to owners.",
+    "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization",
+    "fields": [
+      "actor",
+      "@timestamp",
+      "_document_id",
+      "user",
+      "user_id",
+      "action",
+      "created_at",
+      "actor_id",
+      "user_agent",
+      "org",
+      "org_id",
+      "operation_type",
+      "request_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization"
+  },
+  {
+    "action": "org.disable_reader_discussion_creation_permission",
+    "description": "An organization owner limited discussion creation to users with at least triage permission in an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization"
+  },
+  {
+    "action": "org.disable_saml",
+    "description": "SAML single sign-on was disabled for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "sso_url",
+      "issuer",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "created_at",
+      "org",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.disable_two_factor_requirement",
+    "description": "A two-factor authentication requirement was disabled for the organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "org",
+      "org_id",
+      "action",
+      "actor",
+      "actor_id",
+      "operation_type",
+      "request_id",
+      "@timestamp",
+      "_document_id",
+      "user_agent"
+    ]
+  },
+  {
+    "action": "org.display_commenter_full_name_disabled",
+    "description": "An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "user_id",
+      "user",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "created_at",
+      "user_agent",
+      "org",
+      "actor_id",
+      "org_id",
+      "request_id"
+    ]
+  },
+  {
+    "action": "org.display_commenter_full_name_enabled",
+    "description": "An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org",
+      "user_agent",
+      "request_id",
+      "actor",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "user",
+      "action",
+      "actor_id",
+      "org_id"
+    ]
+  },
+  {
+    "action": "org.enable_member_team_creation_permission",
+    "description": "Team creation by members was allowed.",
+    "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization",
+    "fields": [
+      "org_id",
+      "user",
+      "actor",
+      "operation_type",
+      "_document_id",
+      "user_id",
+      "created_at",
+      "user_agent",
+      "actor_id",
+      "org",
+      "request_id",
+      "action",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization"
+  },
+  {
+    "action": "org.enable_reader_discussion_creation_permission",
+    "description": "An organization owner allowed users with read access to create discussions in an organization",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization"
+  },
+  {
+    "action": "org.enable_saml",
+    "description": "SAML single sign-on was enabled for the organization.",
+    "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization",
+    "fields": [
+      "actor_id",
+      "action",
+      "operation_type",
+      "actor",
+      "sso_url",
+      "org",
+      "created_at",
+      "@timestamp",
+      "issuer",
+      "org_id",
+      "_document_id",
+      "user_agent",
+      "request_id"
+    ],
+    "docs_reference_titles": "Enabling and testing SAML single sign-on for your organization"
+  },
+  {
+    "action": "org.enable_two_factor_requirement",
+    "description": "Two-factor authentication is now required for the organization.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization",
+    "fields": [
+      "actor_id",
+      "action",
+      "_document_id",
+      "org",
+      "@timestamp",
+      "actor",
+      "user_agent",
+      "org_id",
+      "operation_type",
+      "created_at",
+      "request_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization"
+  },
+  {
+    "action": "org.integration_manager_added",
+    "description": "An organization owner granted a member access to manage all GitHub Apps owned by an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "org_id",
+      "manager",
+      "@timestamp",
+      "request_id",
+      "actor",
+      "operation_type",
+      "_document_id",
+      "actor_id",
+      "org",
+      "action",
+      "created_at"
+    ]
+  },
+  {
+    "action": "org.integration_manager_removed",
+    "description": "An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "@timestamp",
+      "org",
+      "user_agent",
+      "request_id",
+      "action",
+      "actor",
+      "actor_id",
+      "manager",
+      "operation_type",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "org.invite_member",
+    "description": "A new user was invited to join an organization.",
+    "docs_reference_links": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization",
+    "fields": [
+      "org",
+      "user_id",
+      "invitation_id",
+      "org_id",
+      "user",
+      "action",
+      "operation_type",
+      "_document_id",
+      "actor",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "actor_id",
+      "request_id",
+      "invitee_email",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization"
+  },
+  {
+    "action": "org.invite_to_business",
+    "description": "An organization was invited to join an enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.members_can_update_protected_branches.disable",
+    "description": "The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "org.members_can_update_protected_branches.enable",
+    "description": "The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org",
+      "org_id",
+      "user_agent",
+      "actor_id",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "request_id",
+      "_document_id",
+      "actor",
+      "user",
+      "action"
+    ]
+  },
+  {
+    "action": "org.rate_limited_invites",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "created_at",
+      "request_id",
+      "org_id",
+      "action",
+      "actor",
+      "actor_id",
+      "user_agent",
+      "operation_type",
+      "_document_id",
+      "org"
+    ]
+  },
+  {
+    "action": "org.recreate",
+    "description": "An organization was restored.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "org",
+      "action",
+      "operation_type",
+      "_document_id",
+      "user_agent",
+      "actor_id",
+      "@timestamp",
+      "request_id",
+      "actor",
+      "org_id"
+    ]
+  },
+  {
+    "action": "org.register_self_hosted_runner",
+    "description": "A new self-hosted runner was registered.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization",
+    "fields": [
+      "actor",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "created_at",
+      "user_agent",
+      "actor_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Adding self-hosted runners"
+  },
+  {
+    "action": "org.remove_billing_manager",
+    "description": "A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.",
+    "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization",
+    "fields": [
+      "user_id",
+      "user_agent",
+      "org_id",
+      "user",
+      "action",
+      "_document_id",
+      "operation_type",
+      "@timestamp",
+      "actor",
+      "org",
+      "actor_id",
+      "request_id",
+      "created_at"
+    ],
+    "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization"
+  },
+  {
+    "action": "org.remove_member",
+    "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "request_id",
+      "actor_id",
+      "user_agent",
+      "actor",
+      "action",
+      "user_id",
+      "@timestamp",
+      "created_at",
+      "user",
+      "operation_type",
+      "org_id",
+      "org",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "org.remove_outside_collaborator",
+    "description": "An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org",
+      "user",
+      "org_id",
+      "created_at",
+      "request_id",
+      "@timestamp",
+      "action",
+      "operation_type",
+      "user_agent",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "user_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.remove_security_manager",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org_id",
+      "org",
+      "team",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "org.remove_self_hosted_runner",
+    "description": "A self-hosted runner was removed.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization",
+    "fields": [
+      "operation_type",
+      "org_id",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "request_id",
+      "actor_id",
+      "org",
+      "created_at",
+      "actor",
+      "action",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Removing self-hosted runners"
+  },
+  {
+    "action": "org.rename",
+    "description": "An organization was renamed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "_document_id",
+      "@timestamp",
+      "org",
+      "action",
+      "actor",
+      "old_login",
+      "org_id",
+      "request_id",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.restore_member",
+    "description": "An organization member was restored.",
+    "docs_reference_links": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization",
+    "fields": [
+      "user",
+      "actor",
+      "user_id",
+      "_document_id",
+      "action",
+      "created_at",
+      "org_id",
+      "operation_type",
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "org",
+      "actor_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization"
+  },
+  {
+    "action": "org.runner_group_created",
+    "description": "A self-hosted runner group was created.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "runner_group_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "runner_group_restricted_to_workflows",
+      "runner_group_selected_workflow_refs",
+      "programmatic_access_type",
+      "network_configuration_id"
+    ],
+    "docs_reference_titles": "Managing access to self-hosted runners using groups"
+  },
+  {
+    "action": "org.runner_group_removed",
+    "description": "A self-hosted runner group was removed.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "runner_group_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Managing access to self-hosted runners using groups"
+  },
+  {
+    "action": "org.runner_group_runner_removed",
+    "description": "The REST API was used to remove a self-hosted runner from a group.",
+    "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "runner_group_id",
+      "runner_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization"
+  },
+  {
+    "action": "org.runner_group_runners_added",
+    "description": "A self-hosted runner was added to a group.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "runner_group_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing access to self-hosted runners using groups"
+  },
+  {
+    "action": "org.runner_group_runners_updated",
+    "description": "A runner group's list of members was updated.",
+    "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "runner_group_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization"
+  },
+  {
+    "action": "org.runner_group_updated",
+    "description": "The configuration of a self-hosted runner group was changed.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "runner_group_id",
+      "runner_group_name",
+      "runner_group_allow_public",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "runner_group_restricted_to_workflows",
+      "runner_group_selected_workflow_refs",
+      "programmatic_access_type",
+      "network_configuration_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing access to self-hosted runners using groups"
+  },
+  {
+    "action": "org_secret_scanning_automatic_validity_checks.disabled",
+    "description": "Automatic partner validation checks have been disabled at the organization level",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization"
+  },
+  {
+    "action": "org_secret_scanning_automatic_validity_checks.enabled",
+    "description": "Automatic partner validation checks have been enabled at the organization level",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization"
+  },
+  {
+    "action": "org_secret_scanning_custom_pattern.create",
+    "description": "A custom pattern was created for secret scanning in an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "org_secret_scanning_custom_pattern.delete",
+    "description": "A custom pattern was removed from secret scanning in an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "org_secret_scanning_custom_pattern.publish",
+    "description": "A custom pattern was published for secret scanning in an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "org.secret_scanning_custom_pattern_push_protection_disabled",
+    "description": "Push protection for a custom pattern for secret scanning was disabled for an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "org.secret_scanning_custom_pattern_push_protection_enabled",
+    "description": "Push protection for a custom pattern for secret scanning was enabled for an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "org_secret_scanning_custom_pattern.update",
+    "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "org_secret_scanning_non_provider_patterns.disabled",
+    "description": "Secret scanning for non-provider patterns was disabled at the organization level.",
+    "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Supported secret scanning patterns"
+  },
+  {
+    "action": "org_secret_scanning_non_provider_patterns.enabled",
+    "description": "Secret scanning for non-provider patterns was enabled at the organization level.",
+    "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Supported secret scanning patterns"
+  },
+  {
+    "action": "org_secret_scanning_push_protection_bypass_list.add",
+    "description": "A role or team was added to the push protection bypass list at the organization level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org_secret_scanning_push_protection_bypass_list.disable",
+    "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the organization level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org_secret_scanning_push_protection_bypass_list.enable",
+    "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the organization level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org_secret_scanning_push_protection_bypass_list.remove",
+    "description": "A role or team was removed from the push protection bypass list at the organization level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.secret_scanning_push_protection_custom_message_disabled",
+    "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.secret_scanning_push_protection_custom_message_enabled",
+    "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.secret_scanning_push_protection_custom_message_updated",
+    "description": "The custom message triggered by an attempted push to a push-protected repository was updated for an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.secret_scanning_push_protection_disable",
+    "description": "Push protection for secret scanning was disabled.",
+    "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.secret_scanning_push_protection_enable",
+    "description": "Push protection for secret scanning was enabled.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.secret_scanning_push_protection_new_repos_disable",
+    "description": "Push protection for secret scanning was disabled for all new repositories in the organization.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "token_scopes"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.secret_scanning_push_protection_new_repos_enable",
+    "description": "Push protection for secret scanning was enabled for all new repositories in the organization.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "token_scopes"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
+    "description": "The push protection setting was updated for a secret type for your organization.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
+    "fields": [
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "push_protection_setting",
+      "secret_type",
+      "secret_type_display_name",
+      "created_at"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org_secret_scanning_push_protection_pattern_configuration.updated",
+    "description": "The push protection pattern configuration was updated for your organization.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
+    "fields": [
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "created_at"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.security_center_export_code_scanning_metrics",
+    "description": "A CSV export was requested on the CodeQL pull request alerts page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "start_date",
+      "end_date",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "org.security_center_export_coverage",
+    "description": "A CSV export was requested on the Coverage page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.security_center_export_overview_dashboard",
+    "description": "A CSV export was requested on the Overview Dashboard page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "start_date",
+      "end_date",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.security_center_export_risk",
+    "description": "A CSV export was requested on the Risk page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.self_hosted_runner_offline",
+    "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner",
+    "fields": [
+      "org_id",
+      "org",
+      "runner_id",
+      "runner_name",
+      "action",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners"
+  },
+  {
+    "action": "org.self_hosted_runner_online",
+    "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner",
+    "fields": [
+      "org_id",
+      "org",
+      "runner_id",
+      "runner_name",
+      "action",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners"
+  },
+  {
+    "action": "org.self_hosted_runner_updated",
+    "description": "The runner application was updated. This event is not included in the JSON/CSV export.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners",
+    "fields": [
+      "org_id",
+      "runner_id",
+      "runner_name",
+      "source_version",
+      "target_version",
+      "runner_group_id",
+      "runner_group_name"
+    ],
+    "docs_reference_titles": "Self-hosted runners"
+  },
+  {
+    "action": "org.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization"
+  },
+  {
+    "action": "org.set_actions_fork_pr_approvals_policy",
+    "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "policy",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks"
+  },
+  {
+    "action": "org.set_actions_private_fork_pr_approvals_policy",
+    "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "policy",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks"
+  },
+  {
+    "action": "org.set_actions_retention_limit",
+    "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.",
+    "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "limit",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization"
+  },
+  {
+    "action": "org.set_custom_invitation_rate_limit",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "_document_id",
+      "org_id",
+      "operation_type",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "request_id",
+      "created_at",
+      "org",
+      "action"
+    ]
+  },
+  {
+    "action": "org.set_default_workflow_permissions",
+    "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization"
+  },
+  {
+    "action": "org.set_fork_pr_workflows_policy",
+    "description": "The policy for workflows on private repository forks was changed.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "policy",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks"
+  },
+  {
+    "action": "org.set_workflow_permission_can_approve_pr",
+    "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests"
+  },
+  {
+    "action": "org.sso_response",
+    "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "user_agent",
+      "actor",
+      "actor_id",
+      "org_id",
+      "@timestamp",
+      "org",
+      "issuer",
+      "business",
+      "operation_type",
+      "created_at",
+      "request_id",
+      "business_id",
+      "_document_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.transform",
+    "description": "A user account was converted into an organization.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-your-personal-account/converting-a-user-into-an-organization",
+    "fields": [
+      "actor",
+      "_document_id",
+      "request_id",
+      "operation_type",
+      "actor_id",
+      "org_id",
+      "org",
+      "action",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "owner",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Converting a user into an organization"
+  },
+  {
+    "action": "org.unblock_user",
+    "description": "A user was unblocked from an organization.",
+    "docs_reference_links": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization",
+    "fields": [
+      "oauth_application_id",
+      "_document_id",
+      "blocked_user",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "request_id",
+      "created_at",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "user_agent"
+    ],
+    "docs_reference_titles": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization"
+  },
+  {
+    "action": "org.update_actions_settings",
+    "description": "An organization owner or site administrator updated GitHub Actions policy settings for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "new_policy",
+      "updated_allowed_types",
+      "old_policy",
+      "updated_access_policy",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization"
+  },
+  {
+    "action": "org.update_default_repository_permission",
+    "description": "The default repository permission level for organization members was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "action",
+      "operation_type",
+      "created_at",
+      "org",
+      "org_id",
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "permission",
+      "actor_id",
+      "old_permission",
+      "_document_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "org.update_member",
+    "description": "A person's role was changed from owner to member or member to owner.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "org_id",
+      "created_at",
+      "_document_id",
+      "user",
+      "user_id",
+      "action",
+      "request_id",
+      "actor_id",
+      "old_permission",
+      "permission",
+      "actor",
+      "user_agent",
+      "operation_type",
+      "org"
+    ]
+  },
+  {
+    "action": "org.update_member_repository_creation_permission",
+    "description": "The create repository permission for organization members was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "action",
+      "@timestamp",
+      "request_id",
+      "actor_id",
+      "permission",
+      "created_at",
+      "user_agent",
+      "org",
+      "org_id",
+      "_document_id",
+      "visibility",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.update_member_repository_invitation_permission",
+    "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.",
+    "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators",
+    "fields": [
+      "actor_id",
+      "permission",
+      "action",
+      "org_id",
+      "actor",
+      "created_at",
+      "_document_id",
+      "business_id",
+      "operation_type",
+      "org",
+      "user_agent",
+      "request_id",
+      "business",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Setting permissions for adding outside collaborators"
+  },
+  {
+    "action": "org.update_saml_provider_settings",
+    "description": "An organization's SAML provider settings were updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "sso_url",
+      "actor_id",
+      "operation_type",
+      "@timestamp",
+      "issuer",
+      "org",
+      "_document_id",
+      "actor",
+      "org_id",
+      "created_at",
+      "request_id",
+      "action"
+    ]
+  },
+  {
+    "action": "org.update_terms_of_service",
+    "description": "An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.",
+    "docs_reference_links": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement",
+    "fields": [
+      "request_id",
+      "org_id",
+      "actor",
+      "actor_id",
+      "user_agent",
+      "operation_type",
+      "_document_id",
+      "org",
+      "action",
+      "@timestamp",
+      "created_at",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement"
+  },
+  {
+    "action": "organization_custom_property_definition.create",
+    "description": "A new organization custom property definition was created.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "description",
+      "value_type",
+      "required",
+      "allowed_values",
+      "default_value",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
+  },
+  {
+    "action": "organization_custom_property_definition.destroy",
+    "description": "An organization custom property definition was deleted.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "description",
+      "value_type",
+      "required",
+      "allowed_values",
+      "default_value",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
+  },
+  {
+    "action": "organization_custom_property_definition.update",
+    "description": "An organization custom property definition was updated.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "old_values_editable_by",
+      "values_editable_by",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "old_allowed_values"
+    ],
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
+  },
+  {
+    "action": "organization_custom_property_value.create",
+    "description": "An organization's custom property value was manually set for the first time.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "value",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
+  },
+  {
+    "action": "organization_custom_property_value.destroy",
+    "description": "An organization's custom property value was deleted.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "value",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
+  },
+  {
+    "action": "organization_domain.approve",
+    "description": "A domain was approved for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner_type",
+      "domain_name",
+      "org_id",
+      "business_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization"
+  },
+  {
+    "action": "organization_domain.create",
+    "description": "A domain was added to an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization",
+    "fields": [
+      "created_at",
+      "_document_id",
+      "domain_name",
+      "action",
+      "request_id",
+      "actor_id",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "actor"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization"
+  },
+  {
+    "action": "organization_domain.destroy",
+    "description": "A domain was removed from an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain",
+    "fields": [
+      "action",
+      "domain_name",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "operation_type",
+      "created_at"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain"
+  },
+  {
+    "action": "organization_domain.verify",
+    "description": "A domain was verified for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization",
+    "fields": [
+      "operation_type",
+      "domain_name",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "actor",
+      "action",
+      "created_at",
+      "_document_id",
+      "actor_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization"
+  },
+  {
+    "action": "packages.package_deleted",
+    "description": "An entire package was deleted.",
+    "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package",
+    "fields": [
+      "actor_id",
+      "actor",
+      "org",
+      "org_id",
+      "repo",
+      "repo_id",
+      "package",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package"
+  },
+  {
+    "action": "packages.package_published",
+    "description": "A package was published or republished to an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "actor",
+      "org",
+      "org_id",
+      "repo",
+      "repo_id",
+      "package",
+      "ecosystem",
+      "version_count",
+      "is_republished",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "packages.package_version_deleted",
+    "description": "A specific package version was deleted.",
+    "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package",
+    "fields": [
+      "actor_id",
+      "actor",
+      "org",
+      "org_id",
+      "repo",
+      "repo_id",
+      "package",
+      "version",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "ecosystem",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package"
+  },
+  {
+    "action": "packages.package_version_published",
+    "description": "A specific package version was published or republished to a package.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "ecosystem",
+      "package",
+      "version",
+      "actor_id",
+      "user_agent",
+      "is_republished",
+      "actor",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "pages_protected_domain.create",
+    "description": "A GitHub Pages verified domain was created for an organization or enterprise.",
+    "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner",
+      "owner_type",
+      "domain",
+      "state",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages"
+  },
+  {
+    "action": "pages_protected_domain.delete",
+    "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.",
+    "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner",
+      "owner_type",
+      "domain",
+      "state",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages"
+  },
+  {
+    "action": "pages_protected_domain.verify",
+    "description": "A GitHub Pages domain was verified for an organization or enterprise.",
+    "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner",
+      "owner_type",
+      "domain",
+      "state",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages"
+  },
+  {
+    "action": "passkey.register",
+    "description": "A new passkey was added.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "nickname",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "passkey.remove",
+    "description": "A new passkey was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "nickname",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "payment_method.create",
+    "description": "A new payment method was added, such as a new credit card or PayPal account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "user",
+      "operation_type",
+      "user_id",
+      "_document_id",
+      "action",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "created_at",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "payment_method.remove",
+    "description": "A payment method was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "created_at",
+      "actor_id",
+      "@timestamp",
+      "user_id",
+      "action",
+      "operation_type",
+      "actor",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "payment_method.update",
+    "description": "An existing payment method was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "request_id",
+      "org_id",
+      "created_at",
+      "actor_id",
+      "@timestamp",
+      "action",
+      "actor",
+      "org",
+      "user_agent",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "personal_access_token.access_granted",
+    "description": "A fine-grained personal access token was granted access to resources.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_id",
+      "user_programmatic_access_name",
+      "repository_selection",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization"
+  },
+  {
+    "action": "personal_access_token.access_restriction_disabled",
+    "description": "The configured restriction for access to resources via personal access tokens was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "programmatic_access_type",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "personal_access_token.access_restriction_enabled",
+    "description": "The configured restriction for access to resources via personal access tokens was enabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "programmatic_access_type",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "personal_access_token.access_restriction_reset",
+    "description": "The configured restriction for access to resources via personal access tokens was reset and delegated to organizations.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "programmatic_access_type",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "personal_access_token.access_revoked",
+    "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_id",
+      "user_programmatic_access_name",
+      "repository_selection",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization"
+  },
+  {
+    "action": "personal_access_token.auto_approve_grant_requests_disabled",
+    "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "personal_access_token.auto_approve_grant_requests_enabled",
+    "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "personal_access_token.auto_approve_grant_requests_reset",
+    "description": "Triggered when the enterprise delegates to the organizations when to require approval for fine-grained personal access tokens before the tokens can access organization resources.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "personal_access_token.create",
+    "description": "Triggered when you create a fine-grained personal access token.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_name",
+      "user",
+      "user_id",
+      "repository_selection",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "personal_access_token.credential_regenerated",
+    "description": "Triggered when you regenerate a fine-grained personal access token.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_name",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "personal_access_token.credential_revoked",
+    "description": "A fine-grained personal access token was revoked by GitHub Advanced Security.",
+    "docs_reference_links": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users",
+    "fields": [
+      "user_programmatic_access_name",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users"
+  },
+  {
+    "action": "personal_access_token.destroy",
+    "description": "Triggered when you delete a fine-grained personal access token.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_name",
+      "user",
+      "user_id",
+      "explanation",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "personal_access_token.expiration_limit_set",
+    "description": "A personal access token expiration limit was set.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "programmatic_access_type",
+      "token_expiration",
+      "old_token_expiration",
+      "exempt_administrators",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "personal_access_token.expiration_limit_unset",
+    "description": "A personal access token expiration limit was unset.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "programmatic_access_type",
+      "old_token_expiration",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "personal_access_token.request_cancelled",
+    "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_name",
+      "org",
+      "org_id",
+      "repository_selection",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "user_programmatic_access_request_id"
+    ]
+  },
+  {
+    "action": "personal_access_token.request_created",
+    "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_id",
+      "user_programmatic_access_name",
+      "user",
+      "user_id",
+      "repository_selection",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "user_programmatic_access_request_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization"
+  },
+  {
+    "action": "personal_access_token.request_denied",
+    "description": "A request for a fine-grained personal access token to access organization resources was denied.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user_programmatic_access_name",
+      "org",
+      "org_id",
+      "repository_selection",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "user_programmatic_access_request_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization"
+  },
+  {
+    "action": "personal_access_token.update",
+    "description": "A fine-grained personal access token was updated.",
+    "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_name",
+      "user",
+      "user_id",
+      "repository_selection",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens"
+  },
+  {
+    "action": "premium_runner.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "runner_group_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "premium_runner.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "premium_runner.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "runner_group_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "private_vulnerability_reporting.disable",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "private_vulnerability_reporting.enable",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "private_vulnerability_reporting_new_repos.disable",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "private_vulnerability_reporting_new_repos.enable",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "profile_picture.update",
+    "description": "A profile picture was updated.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile",
+    "fields": [
+      "user",
+      "actor_id",
+      "user_id",
+      "@timestamp",
+      "created_at",
+      "owner",
+      "action",
+      "_document_id",
+      "request_id",
+      "user_agent",
+      "actor",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Personalize your profile"
+  },
+  {
+    "action": "project.access",
+    "description": "A project board visibility was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "actor",
+      "user_agent",
+      "operation_type",
+      "user",
+      "created_at",
+      "user_id",
+      "action",
+      "request_id",
+      "_document_id",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "project.close",
+    "description": "A project board was closed.",
+    "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board",
+    "fields": [
+      "org_id",
+      "user_agent",
+      "request_id",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "repo_id",
+      "org",
+      "_document_id",
+      "project_id",
+      "action",
+      "actor",
+      "actor_id",
+      "repo",
+      "project_kind"
+    ],
+    "docs_reference_titles": "Closing a project (classic)"
+  },
+  {
+    "action": "project_collaborator.add",
+    "description": "A collaborator was added to a project.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "collaborator_type",
+      "org",
+      "org_id",
+      "collaborator",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "public_project",
+      "project_name",
+      "project_role",
+      "old_project_role",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "project_collaborator.remove",
+    "description": "A collaborator was removed from a project.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "collaborator_type",
+      "user",
+      "user_id",
+      "collaborator",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "project_collaborator.update",
+    "description": "A project collaborator's permission level was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "public_project",
+      "project_name",
+      "collaborator_type",
+      "project_role",
+      "old_project_role",
+      "project_id",
+      "user",
+      "user_id",
+      "collaborator",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "project.create",
+    "description": "A project board was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "user",
+      "_document_id",
+      "request_id",
+      "user_id",
+      "user_agent",
+      "@timestamp",
+      "actor_id",
+      "action",
+      "created_at",
+      "actor"
+    ]
+  },
+  {
+    "action": "project.delete",
+    "description": "A project board was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "action",
+      "actor_id",
+      "operation_type",
+      "actor",
+      "user_id",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "user"
+    ]
+  },
+  {
+    "action": "project_field.create",
+    "description": "A field was created in a project board.",
+    "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields"
+  },
+  {
+    "action": "project_field.delete",
+    "description": "A field was deleted in a project board.",
+    "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields"
+  },
+  {
+    "action": "project.link",
+    "description": "A repository was linked to a project board.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo_id",
+      "action",
+      "actor_id",
+      "org_id",
+      "user_agent",
+      "request_id",
+      "actor",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "created_at",
+      "org",
+      "repo"
+    ]
+  },
+  {
+    "action": "project.open",
+    "description": "A project board was reopened.",
+    "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board",
+    "fields": [
+      "actor",
+      "request_id",
+      "actor_id",
+      "action",
+      "user_id",
+      "project_id",
+      "_document_id",
+      "user_agent",
+      "operation_type",
+      "user",
+      "@timestamp",
+      "created_at",
+      "project_kind",
+      "project_name"
+    ],
+    "docs_reference_titles": "Reopening a closed project (classic)"
+  },
+  {
+    "action": "project.rename",
+    "description": "A project board was renamed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "created_at",
+      "request_id",
+      "actor_id",
+      "old_name",
+      "operation_type",
+      "@timestamp",
+      "repo",
+      "_document_id",
+      "user_agent",
+      "org_id",
+      "business_id",
+      "actor",
+      "repo_id",
+      "org",
+      "business"
+    ]
+  },
+  {
+    "action": "project.unlink",
+    "description": "A repository was unlinked from a project board.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "repo_id",
+      "operation_type",
+      "actor",
+      "action",
+      "created_at",
+      "actor_id",
+      "_document_id",
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "org",
+      "org_id"
+    ]
+  },
+  {
+    "action": "project.update_org_permission",
+    "description": "The project's base-level permission for all organization members was changed or removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "org",
+      "@timestamp",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "request_id",
+      "actor_id",
+      "action",
+      "org_id",
+      "user_agent"
+    ]
+  },
+  {
+    "action": "project.update_team_permission",
+    "description": "A team's project board permission level was changed or when a team was added or removed from a project board.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "org_id",
+      "operation_type",
+      "org",
+      "actor_id",
+      "_document_id",
+      "request_id",
+      "team",
+      "@timestamp",
+      "action",
+      "user_agent",
+      "actor"
+    ]
+  },
+  {
+    "action": "project.update_user_permission",
+    "description": "A user was added to or removed from a project board or had their permission level changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "actor_id",
+      "user",
+      "user_agent",
+      "actor",
+      "created_at",
+      "org",
+      "_document_id",
+      "org_id",
+      "action",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "project_view.create",
+    "description": "A view was created in a project board.",
+    "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views"
+  },
+  {
+    "action": "project_view.delete",
+    "description": "A view was deleted in a project board.",
+    "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views"
+  },
+  {
+    "action": "project.visibility_private",
+    "description": "A project's visibility was changed from public to private.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "project_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "project_kind",
+      "project_name"
+    ]
+  },
+  {
+    "action": "project.visibility_public",
+    "description": "A project's visibility was changed from private to public.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "project_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "project_kind",
+      "project_name",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "protected_branch.authorized_users_teams",
+    "description": "The users, teams, or integrations allowed to bypass a branch protection were changed.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches",
+    "fields": [
+      "repo",
+      "action",
+      "org_id",
+      "user_agent",
+      "name",
+      "created_at",
+      "_document_id",
+      "operation_type",
+      "actor",
+      "repo_id",
+      "org",
+      "request_id",
+      "actor_id",
+      "oauth_application_id",
+      "@timestamp",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches"
+  },
+  {
+    "action": "protected_branch.branch_allowances",
+    "description": "A protected branch allowance was given to a specific user, team or integration.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "token_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "name",
+      "authorized_actors",
+      "policy",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "protected_branch.create",
+    "description": "Branch protection was enabled on a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "repo_id",
+      "user_id",
+      "@timestamp",
+      "user_agent",
+      "repo",
+      "name",
+      "org_id",
+      "user",
+      "_document_id",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "action",
+      "created_at",
+      "authorized_actor_names",
+      "token_scopes",
+      "required_deployments_enforcement_level",
+      "merge_queue_enforcement_level",
+      "create_protected"
+    ]
+  },
+  {
+    "action": "protected_branch.destroy",
+    "description": "Branch protection was disabled on a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "name",
+      "repo",
+      "@timestamp",
+      "actor",
+      "org",
+      "actor_id",
+      "request_id",
+      "repo_id",
+      "org_id",
+      "operation_type",
+      "action",
+      "user_agent",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "required_deployments_enforcement_level",
+      "merge_queue_enforcement_level",
+      "create_protected"
+    ]
+  },
+  {
+    "action": "protected_branch.dismiss_stale_reviews",
+    "description": "Enforcement of dismissing stale pull requests was updated on a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "dismiss_stale_reviews_on_push",
+      "org_id",
+      "action",
+      "created_at",
+      "request_id",
+      "_document_id",
+      "@timestamp",
+      "actor_id",
+      "repo_id",
+      "operation_type",
+      "actor",
+      "repo",
+      "org",
+      "name",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.dismissal_restricted_users_teams",
+    "description": "Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "repo_id",
+      "actor",
+      "oauth_application_id",
+      "authorized_actors_only",
+      "authorized_actors",
+      "created_at",
+      "user_agent",
+      "name",
+      "_document_id",
+      "org_id",
+      "request_id",
+      "@timestamp",
+      "actor_id",
+      "org",
+      "action",
+      "operation_type",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.policy_override",
+    "description": "A branch protection requirement was overridden by a repository administrator.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo_id",
+      "created_at",
+      "actor",
+      "reasons",
+      "@timestamp",
+      "before",
+      "after",
+      "actor_id",
+      "repo",
+      "operation_type",
+      "user_agent",
+      "branch",
+      "overridden_codes",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "request_id",
+      "referrer",
+      "business",
+      "business_id",
+      "deploy_key_fingerprint",
+      "token_scopes",
+      "programmatic_access_type",
+      "compliant_pull_request_ids",
+      "rule_suite_id"
+    ]
+  },
+  {
+    "action": "protected_branch.rejected_ref_update",
+    "description": "A branch update attempt was rejected.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "org",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "org_id",
+      "operation_type",
+      "request_id",
+      "repo_id",
+      "actor",
+      "branch",
+      "before",
+      "overridden_codes",
+      "after",
+      "action",
+      "reasons",
+      "actor_id",
+      "business_id",
+      "deploy_key_fingerprint",
+      "token_scopes",
+      "programmatic_access_type",
+      "compliant_pull_request_ids",
+      "actor_is_bot",
+      "rule_suite_id"
+    ]
+  },
+  {
+    "action": "protected_branch.update_admin_enforced",
+    "description": "Branch protection was enforced for repository administrators.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor_id",
+      "admin_enforced",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "org",
+      "name",
+      "repo",
+      "@timestamp",
+      "action",
+      "repo_id",
+      "org_id",
+      "_document_id",
+      "created_at",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_allow_deletions_enforcement_level",
+    "description": "Branch deletion was enabled or disabled for a protected branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "name",
+      "operation_type",
+      "request_id",
+      "repo",
+      "@timestamp",
+      "org_id",
+      "org",
+      "action",
+      "allow_deletions_enforcement_level",
+      "_document_id",
+      "created_at",
+      "actor_id",
+      "user_agent",
+      "actor",
+      "repo_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "protected_branch.update_allow_force_pushes_enforcement_level",
+    "description": "Force pushes were enabled or disabled for a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "actor_id",
+      "name",
+      "_document_id",
+      "actor",
+      "repo",
+      "operation_type",
+      "request_id",
+      "allow_force_pushes_enforcement_level",
+      "@timestamp",
+      "org",
+      "action",
+      "created_at",
+      "user_agent",
+      "repo_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_ignore_approvals_from_contributors",
+    "description": "Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "ignore_approvals_from_contributors",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
+  },
+  {
+    "action": "protected_branch.update_linear_history_requirement_enforcement_level",
+    "description": "Required linear commit history was enabled or disabled for a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "action",
+      "user_agent",
+      "operation_type",
+      "actor",
+      "linear_history_requirement_enforcement_level",
+      "repo",
+      "request_id",
+      "name",
+      "org_id",
+      "repo_id",
+      "org",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_lock_allows_fetch_and_merge",
+    "description": "Fork syncing was enabled or disabled for a read-only branch",
+    "docs_reference_links": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "lock_allows_fetch_and_merge",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch"
+  },
+  {
+    "action": "protected_branch.update_lock_branch_enforcement_level",
+    "description": "The enforcement of a branch lock was updated.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "enforcement_level",
+      "lock_branch_enforcement_level",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch"
+  },
+  {
+    "action": "protected_branch.update_merge_queue_enforcement_level",
+    "description": "Enforcement of the merge queue was modified for a branch.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "merge_queue_enforcement_level",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue"
+  },
+  {
+    "action": "protected_branch.update_name",
+    "description": "A branch name pattern was updated for a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "old_name",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "protected_branch.update_pull_request_reviews_enforcement_level",
+    "description": "Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "name",
+      "org_id",
+      "_document_id",
+      "actor_id",
+      "@timestamp",
+      "business_id",
+      "request_id",
+      "pull_request_reviews_enforcement_level",
+      "org",
+      "repo",
+      "action",
+      "business",
+      "user_agent",
+      "created_at",
+      "repo_id",
+      "operation_type",
+      "actor",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_require_code_owner_review",
+    "description": "Enforcement of required code owner review was updated for a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "created_at",
+      "require_code_owner_review",
+      "operation_type",
+      "name",
+      "user_agent",
+      "action",
+      "@timestamp",
+      "actor",
+      "actor_id",
+      "repo",
+      "request_id",
+      "org",
+      "repo_id",
+      "_document_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_require_last_push_approval",
+    "description": "Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "require_last_push_approval",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging"
+  },
+  {
+    "action": "protected_branch.update_required_approving_review_count",
+    "description": "Enforcement of the required number of approvals before merging was updated on a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "required_approving_review_count",
+      "repo",
+      "request_id",
+      "repo_id",
+      "created_at",
+      "actor",
+      "operation_type",
+      "user_agent",
+      "name",
+      "org_id",
+      "action",
+      "actor_id",
+      "_document_id",
+      "org",
+      "@timestamp",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_required_status_checks_enforcement_level",
+    "description": "Enforcement of required status checks was updated for a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "org_id",
+      "user_agent",
+      "@timestamp",
+      "_document_id",
+      "name",
+      "repo",
+      "action",
+      "business_id",
+      "repo_id",
+      "business",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "request_id",
+      "required_status_checks_enforcement_level",
+      "org",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_signature_requirement_enforcement_level",
+    "description": "Enforcement of required commit signing was updated for a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "name",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_id",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "actor",
+      "actor_id",
+      "signature_requirement_enforcement_level",
+      "repo",
+      "user_agent",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_strict_required_status_checks_policy",
+    "description": "Enforcement of required status checks was updated for a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor_id",
+      "_document_id",
+      "org",
+      "@timestamp",
+      "created_at",
+      "repo_id",
+      "org_id",
+      "user_agent",
+      "name",
+      "actor",
+      "repo",
+      "operation_type",
+      "action",
+      "strict_required_status_checks_policy",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "public_key.create",
+    "description": "An SSH key was added to a user account or a deploy key was added to a repository.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account",
+    "fields": [
+      "read_only",
+      "user_agent",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "_document_id",
+      "key",
+      "fingerprint",
+      "actor",
+      "action",
+      "user",
+      "user_id",
+      "@timestamp",
+      "request_id",
+      "title",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account"
+  },
+  {
+    "action": "public_key.delete",
+    "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.",
+    "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys",
+    "fields": [
+      "fingerprint",
+      "user_agent",
+      "read_only",
+      "explanation",
+      "repo",
+      "@timestamp",
+      "action",
+      "key",
+      "operation_type",
+      "_document_id",
+      "actor",
+      "title",
+      "request_id",
+      "actor_id",
+      "repo_id",
+      "created_at",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys"
+  },
+  {
+    "action": "public_key.unverification_failure",
+    "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "title",
+      "key",
+      "fingerprint",
+      "read_only",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys"
+  },
+  {
+    "action": "public_key.unverify",
+    "description": "A user account's SSH key or a repository's deploy key was unverified.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys",
+    "fields": [
+      "created_at",
+      "operation_type",
+      "_document_id",
+      "title",
+      "request_id",
+      "key",
+      "action",
+      "actor",
+      "read_only",
+      "explanation",
+      "repo_id",
+      "@timestamp",
+      "actor_id",
+      "repo",
+      "user_agent",
+      "fingerprint"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys"
+  },
+  {
+    "action": "public_key.update",
+    "description": "A user account's SSH key or a repository's deploy key was updated.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys",
+    "fields": [
+      "actor",
+      "user_agent",
+      "key",
+      "fingerprint",
+      "read_only",
+      "repo_id",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "repo",
+      "action",
+      "_document_id",
+      "request_id",
+      "title",
+      "@timestamp",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys"
+  },
+  {
+    "action": "public_key.verification_failure",
+    "description": "A user account's SSH key or a repository's deploy key was unable to be verified.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys",
+    "fields": [
+      "repo_id",
+      "actor",
+      "key",
+      "fingerprint",
+      "@timestamp",
+      "request_id",
+      "actor_id",
+      "oauth_application_id",
+      "title",
+      "action",
+      "user_agent",
+      "created_at",
+      "repo",
+      "read_only",
+      "operation_type",
+      "_document_id",
+      "user",
+      "user_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys"
+  },
+  {
+    "action": "public_key.verify",
+    "description": "A user account's SSH key or a repository's deploy key was verified.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys",
+    "fields": [
+      "operation_type",
+      "user",
+      "@timestamp",
+      "_document_id",
+      "action",
+      "created_at",
+      "key",
+      "fingerprint",
+      "actor_id",
+      "actor",
+      "title",
+      "user_agent",
+      "user_id",
+      "request_id",
+      "read_only",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys"
+  },
+  {
+    "action": "pull_request.close",
+    "description": "A pull request was closed without being merged.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request"
+  },
+  {
+    "action": "pull_request.converted_to_draft",
+    "description": "A pull request was converted to a draft.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft"
+  },
+  {
+    "action": "pull_request.create",
+    "description": "A pull request was created.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request"
+  },
+  {
+    "action": "pull_request.create_review_request",
+    "description": "A review was requested on a pull request.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "business_id",
+      "org_id",
+      "reviewer_type",
+      "reviewer",
+      "reviewer_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews"
+  },
+  {
+    "action": "pull_request.in_progress",
+    "description": "A pull request was marked as in progress.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "pull_request.indirect_merge",
+    "description": "A pull request was considered merged because the pull request's commits were merged into the target branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "pull_request.merge",
+    "description": "A pull request was merged.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request"
+  },
+  {
+    "action": "pull_request.ready_for_review",
+    "description": "A pull request was marked as ready for review.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review"
+  },
+  {
+    "action": "pull_request.rebase",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "pull_request_url",
+      "pull_request_title",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "pull_request.remove_review_request",
+    "description": "A review request was removed from a pull request.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "business_id",
+      "org_id",
+      "reviewer_type",
+      "reviewer",
+      "reviewer_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews"
+  },
+  {
+    "action": "pull_request.reopen",
+    "description": "A pull request was reopened after previously being closed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "pull_request_review_comment.create",
+    "description": "A review comment was added to a pull request.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "comment_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews"
+  },
+  {
+    "action": "pull_request_review_comment.delete",
+    "description": "A review comment on a pull request was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "actor",
+      "@timestamp",
+      "_document_id",
+      "repo",
+      "created_at",
+      "request_id",
+      "comment_id",
+      "actor_id",
+      "repo_id",
+      "action",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "pull_request_review_comment.update",
+    "description": "A review comment on a pull request was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "user_agent",
+      "request_id",
+      "actor_id",
+      "action",
+      "created_at",
+      "actor",
+      "_document_id",
+      "@timestamp",
+      "comment_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "pull_request_review.delete",
+    "description": "A review on a pull request was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "review_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "pull_request_review.dismiss",
+    "description": "A review on a pull request was dismissed.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "business_id",
+      "review_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review"
+  },
+  {
+    "action": "pull_request_review.submit",
+    "description": "A review on a pull request was submitted.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "review_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review"
+  },
+  {
+    "action": "repo.access",
+    "description": "The visibility of a repository changed.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility",
+    "fields": [
+      "repo_id",
+      "user",
+      "request_id",
+      "operation_type",
+      "@timestamp",
+      "actor_id",
+      "user_id",
+      "created_at",
+      "user_agent",
+      "actor",
+      "action",
+      "repo",
+      "visibility",
+      "_document_id",
+      "previous_visibility",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility"
+  },
+  {
+    "action": "repo.actions_enabled",
+    "description": "GitHub Actions was enabled for a repository.",
+    "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api"
+  },
+  {
+    "action": "repo.add_member",
+    "description": "A collaborator was added to a repository.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository",
+    "fields": [
+      "visibility",
+      "repo",
+      "created_at",
+      "user_agent",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "repo_id",
+      "user",
+      "request_id",
+      "action",
+      "user_id",
+      "oauth_application_id",
+      "org",
+      "org_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Inviting collaborators to a personal repository"
+  },
+  {
+    "action": "repo.add_topic",
+    "description": "A topic was added to a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics",
+    "fields": [
+      "action",
+      "user_agent",
+      "actor",
+      "repo",
+      "repo_id",
+      "user",
+      "org",
+      "org_id",
+      "request_id",
+      "actor_id",
+      "topic",
+      "@timestamp",
+      "_document_id",
+      "user_id",
+      "created_at",
+      "operation_type",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics"
+  },
+  {
+    "action": "repo.advanced_security_disabled",
+    "description": "GitHub Advanced Security was disabled for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "repository",
+      "repository_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository"
+  },
+  {
+    "action": "repo.advanced_security_enabled",
+    "description": "GitHub Advanced Security was enabled for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "repository",
+      "repository_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository"
+  },
+  {
+    "action": "repo.archived",
+    "description": "A repository was archived.",
+    "docs_reference_links": "/repositories/archiving-a-github-repository",
+    "fields": [
+      "repo_id",
+      "user_agent",
+      "user_id",
+      "created_at",
+      "@timestamp",
+      "repo",
+      "user",
+      "operation_type",
+      "visibility",
+      "action",
+      "actor_id",
+      "actor",
+      "_document_id",
+      "request_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/archiving-a-github-repository"
+  },
+  {
+    "action": "repo.change_merge_setting",
+    "description": "Pull request merge options were changed for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "oauth_application_id",
+      "user_agent",
+      "request_id",
+      "created_at",
+      "@timestamp",
+      "_document_id",
+      "actor_id",
+      "operation_type",
+      "action",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repo.code_scanning_analysis_deleted",
+    "description": "Code scanning analysis for a repository was deleted.",
+    "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "tool",
+      "category",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository"
+  },
+  {
+    "action": "repo.code_scanning_autofix_disabled",
+    "description": "Autofix for code scanning alerts was disabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.code_scanning_autofix_enabled",
+    "description": "Autofix for code scanning alerts was enabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.code_scanning_autofix_third_party_tools_disabled",
+    "description": "Autofix for third party tools for code scanning alerts was disabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.code_scanning_autofix_third_party_tools_enabled",
+    "description": "Autofix for third party tools for code scanning alerts was enabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.code_scanning_configuration_for_branch_deleted",
+    "description": "A code scanning configuration for a branch of a repository was deleted.",
+    "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "tool",
+      "branch",
+      "category",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Resolving code scanning alerts"
+  },
+  {
+    "action": "repo.code_scanning_delegated_alert_dismissal_disabled",
+    "description": "Prevention of direct alert dismissal for code scanning was disabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "repo.code_scanning_delegated_alert_dismissal_enabled",
+    "description": "Prevention of direct alert dismissal for code scanning was enabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "repo.codeql_disabled",
+    "description": "Code scanning using the default setup was disabled for a repository.",
+    "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning"
+  },
+  {
+    "action": "repo.codeql_enabled",
+    "description": "Code scanning using the default setup was enabled for a repository.",
+    "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "query_suite",
+      "threat_model",
+      "languages",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning"
+  },
+  {
+    "action": "repo.codeql_updated",
+    "description": "Code scanning using the default setup was updated for a repository.",
+    "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "query_suite",
+      "threat_model",
+      "languages",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning"
+  },
+  {
+    "action": "repo.collaborators_only",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "visibility",
+      "repo_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "repo.config.disable_collaborators_only",
+    "description": "The interaction limit for collaborators only was disabled.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "user_agent",
+      "actor",
+      "actor_id",
+      "repo_id",
+      "_document_id",
+      "action",
+      "created_at",
+      "repo",
+      "operation_type",
+      "@timestamp",
+      "request_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.config.disable_contributors_only",
+    "description": "The interaction limit for prior contributors only was disabled in a repository.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "repo",
+      "@timestamp",
+      "request_id",
+      "actor",
+      "_document_id",
+      "user_agent",
+      "actor_id",
+      "repo_id",
+      "action",
+      "operation_type",
+      "created_at"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.config.disable_sockpuppet_disallowed",
+    "description": "The interaction limit for existing users only was disabled in a repository.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "actor",
+      "request_id",
+      "repo_id",
+      "action",
+      "user_agent",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "actor_id",
+      "repo",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.config.enable_collaborators_only",
+    "description": "The interaction limit for collaborators only was enabled in a repository  Users that are not collaborators or organization members were unable to interact with a repository for a set duration.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "actor",
+      "oauth_application_id",
+      "created_at",
+      "action",
+      "request_id",
+      "repo_id",
+      "repo",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "actor_id",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.config.enable_contributors_only",
+    "description": "The interaction limit for prior contributors only was enabled in a repository  Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "operation_type",
+      "created_at",
+      "actor",
+      "org",
+      "action",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "org_id",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.config.enable_sockpuppet_disallowed",
+    "description": "The interaction limit for existing users was enabled in a repository  New users aren't able to interact with a repository for a set duration  Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "actor",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "request_id",
+      "action",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.configure_self_hosted_jit_runner",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "token_id",
+      "token_scopes",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.create",
+    "description": "A repository was created.",
+    "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository",
+    "fields": [
+      "repo",
+      "user_id",
+      "visibility",
+      "repo_id",
+      "user",
+      "request_id",
+      "actor_id",
+      "action",
+      "operation_type",
+      "request_category",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "actor",
+      "user_agent",
+      "org",
+      "oauth_application_id",
+      "org_id",
+      "request_method",
+      "business",
+      "business_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository"
+  },
+  {
+    "action": "repo.create_actions_secret",
+    "description": "A GitHub Actions secret was created for a repository.",
+    "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "repo",
+      "repo_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Using secrets in GitHub Actions"
+  },
+  {
+    "action": "repo.create_actions_variable",
+    "description": "A GitHub Actions variable was created for a repository.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "repo.create_integration_secret",
+    "description": "A Codespaces or Dependabot secret was created for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "visibility",
+      "integration",
+      "repo",
+      "repo_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.destroy",
+    "description": "A repository was deleted.",
+    "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository",
+    "fields": [
+      "repo",
+      "_document_id",
+      "user_agent",
+      "user_id",
+      "actor",
+      "action",
+      "user",
+      "repo_id",
+      "operation_type",
+      "request_category",
+      "actor_id",
+      "visibility",
+      "request_id",
+      "created_at",
+      "@timestamp",
+      "request_method",
+      "oauth_application_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository"
+  },
+  {
+    "action": "repo.disk_archive",
+    "description": "A repository was archived on disk.",
+    "docs_reference_links": "/repositories/archiving-a-github-repository/archiving-repositories",
+    "fields": [
+      "actor_id",
+      "repo",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "request_id",
+      "_document_id",
+      "repo_id",
+      "actor",
+      "action",
+      "user_agent"
+    ],
+    "docs_reference_titles": "/repositories/archiving-a-github-repository/archiving-repositories"
+  },
+  {
+    "action": "repo.download_zip",
+    "description": "A source code archive of a repository was downloaded as a ZIP file.",
+    "docs_reference_links": "/repositories/working-with-files/using-files/downloading-source-code-archives",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives"
+  },
+  {
+    "action": "repo.hide_from_discovery",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "user_agent",
+      "org",
+      "operation_type",
+      "visibility",
+      "repo_id",
+      "created_at",
+      "actor",
+      "action",
+      "@timestamp",
+      "org_id",
+      "request_id",
+      "repo",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "repo.noindex",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "visibility",
+      "repo_id",
+      "request_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "actor_id",
+      "created_at",
+      "user",
+      "operation_type",
+      "actor",
+      "user_agent",
+      "repo",
+      "user_id",
+      "public_repo"
+    ]
+  },
+  {
+    "action": "repo.override_unlock",
+    "description": "The repository was unlocked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "repo.pages_build",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "@timestamp",
+      "action",
+      "_document_id",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "operation_type",
+      "user_agent",
+      "request_id",
+      "created_at",
+      "visibility",
+      "actor",
+      "user_id"
+    ]
+  },
+  {
+    "action": "repo.pages_cname",
+    "description": "A GitHub Pages custom domain was modified in a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "@timestamp",
+      "visibility",
+      "repo",
+      "repo_id",
+      "user",
+      "request_id",
+      "actor_id",
+      "cname",
+      "user_agent",
+      "user_id",
+      "created_at",
+      "_document_id",
+      "action",
+      "operation_type",
+      "old_cname",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repo.pages_create",
+    "description": "A GitHub Pages site was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "user",
+      "_document_id",
+      "user_id",
+      "visibility",
+      "action",
+      "user_agent",
+      "operation_type",
+      "repo_id",
+      "created_at",
+      "@timestamp",
+      "request_id",
+      "actor",
+      "repo",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repo.pages_destroy",
+    "description": "A GitHub Pages site was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "user_id",
+      "action",
+      "request_id",
+      "user",
+      "repo",
+      "user_agent",
+      "_document_id",
+      "actor_id",
+      "@timestamp",
+      "actor",
+      "visibility",
+      "operation_type",
+      "repo_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repo.pages_https_redirect_disabled",
+    "description": "HTTPS redirects were disabled for a GitHub Pages site.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "actor_id",
+      "repo_id",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "visibility",
+      "user_id",
+      "request_id",
+      "repo",
+      "@timestamp",
+      "operation_type",
+      "action",
+      "created_at",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.pages_https_redirect_enabled",
+    "description": "HTTPS redirects were enabled for a GitHub Pages site.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "user_id",
+      "created_at",
+      "visibility",
+      "actor",
+      "actor_id",
+      "user",
+      "operation_type",
+      "repo_id",
+      "action",
+      "repo",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.pages_private",
+    "description": "A GitHub Pages site visibility was changed to private.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "repo.pages_public",
+    "description": "A GitHub Pages site visibility was changed to public.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.pages_soft_delete",
+    "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.pages_soft_delete_restore",
+    "description": "A GitHub Pages site that was previously soft-deleted was restored.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.pages_source",
+    "description": "A GitHub Pages source was modified.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "actor_id",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "@timestamp",
+      "repo_id",
+      "user",
+      "_document_id",
+      "request_id",
+      "visibility",
+      "repo",
+      "created_at",
+      "action",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repo.register_self_hosted_runner",
+    "description": "A new self-hosted runner was registered.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository",
+    "fields": [
+      "actor_id",
+      "repo",
+      "operation_type",
+      "action",
+      "@timestamp",
+      "actor",
+      "user_agent",
+      "created_at",
+      "_document_id",
+      "request_id",
+      "repo_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Adding self-hosted runners"
+  },
+  {
+    "action": "repo.remove_actions_secret",
+    "description": "A GitHub Actions secret was deleted for a repository.",
+    "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Using secrets in GitHub Actions"
+  },
+  {
+    "action": "repo.remove_actions_variable",
+    "description": "A GitHub Actions variable was deleted for a repository.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "repo.remove_integration_secret",
+    "description": "A Codespaces or Dependabot secret was deleted for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "integration",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.remove_member",
+    "description": "A collaborator was removed from a repository.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository",
+    "fields": [
+      "request_id",
+      "user",
+      "business",
+      "action",
+      "actor_id",
+      "org",
+      "org_id",
+      "actor",
+      "created_at",
+      "repo_id",
+      "user_agent",
+      "business_id",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "visibility",
+      "repo",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Removing a collaborator from a personal repository"
+  },
+  {
+    "action": "repo.remove_self_hosted_runner",
+    "description": "A self-hosted runner was removed.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository",
+    "fields": [
+      "request_id",
+      "actor_id",
+      "repo_id",
+      "@timestamp",
+      "_document_id",
+      "repo",
+      "org_id",
+      "action",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "created_at",
+      "org",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Removing self-hosted runners"
+  },
+  {
+    "action": "repo.remove_topic",
+    "description": "A topic was removed from a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "action",
+      "repo_id",
+      "user_agent",
+      "topic",
+      "operation_type",
+      "user_id",
+      "org",
+      "org_id",
+      "actor",
+      "business",
+      "request_id",
+      "repo",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "actor_id",
+      "business_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repo.rename",
+    "description": "A repository was renamed.",
+    "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository",
+    "fields": [
+      "user_agent",
+      "@timestamp",
+      "request_id",
+      "actor_id",
+      "actor",
+      "old_name",
+      "repo",
+      "user_id",
+      "created_at",
+      "user",
+      "action",
+      "operation_type",
+      "visibility",
+      "repo_id",
+      "_document_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository"
+  },
+  {
+    "action": "repo.require_login",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "visibility",
+      "operation_type",
+      "repo",
+      "_document_id",
+      "user",
+      "user_id",
+      "actor",
+      "actor_id",
+      "user_agent",
+      "repo_id",
+      "action",
+      "@timestamp",
+      "request_id"
+    ]
+  },
+  {
+    "action": "repo.restore",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "action",
+      "_document_id",
+      "actor_id",
+      "user",
+      "operation_type",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "@timestamp",
+      "created_at",
+      "actor",
+      "user_id"
+    ]
+  },
+  {
+    "action": "repo.self_hosted_runner_offline",
+    "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner",
+    "fields": [
+      "repo_id",
+      "repo",
+      "org_id",
+      "org",
+      "runner_id",
+      "runner_name",
+      "action",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners"
+  },
+  {
+    "action": "repo.self_hosted_runner_online",
+    "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner",
+    "fields": [
+      "repo_id",
+      "repo",
+      "org_id",
+      "org",
+      "runner_id",
+      "runner_name",
+      "action",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners"
+  },
+  {
+    "action": "repo.self_hosted_runner_updated",
+    "description": "The runner application was updated. This event is not included in the JSON/CSV export.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners",
+    "fields": [
+      "repo_id",
+      "runner_id",
+      "runner_name",
+      "source_version",
+      "target_version",
+      "runner_group_id",
+      "runner_group_name"
+    ],
+    "docs_reference_titles": "Self-hosted runners"
+  },
+  {
+    "action": "repo.set_actions_cache_retention_policy",
+    "description": "The cache retention policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
+  {
+    "action": "repo.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
+  {
+    "action": "repo.set_actions_fork_pr_approvals_policy",
+    "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "policy",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "public_repo"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks"
+  },
+  {
+    "action": "repo.set_actions_private_fork_pr_approvals_policy",
+    "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "visibility",
+      "policy",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories"
+  },
+  {
+    "action": "repo.set_actions_retention_limit",
+    "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "limit",
+      "repo",
+      "repo_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository"
+  },
+  {
+    "action": "repo.set_default_workflow_permissions",
+    "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository"
+  },
+  {
+    "action": "repo.set_fork_pr_workflows_policy",
+    "description": "Triggered when the policy for workflows on private repository forks is changed.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "policy",
+      "repo",
+      "repo_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks"
+  },
+  {
+    "action": "repo.set_workflow_permission_can_approve_pr",
+    "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests"
+  },
+  {
+    "action": "repo.staff_unlock",
+    "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "actor_id",
+      "created_at",
+      "actor",
+      "repo_id",
+      "action",
+      "org",
+      "org_id",
+      "request_id",
+      "repo",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "repo.temporary_access_granted",
+    "description": "Temporary access was enabled for a repository.",
+    "docs_reference_links": "/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Accessing user-owned repositories in your enterprise"
+  },
+  {
+    "action": "repo.transfer",
+    "description": "A user accepted a request to receive a transferred repository.",
+    "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository",
+    "fields": [
+      "@timestamp",
+      "user_id",
+      "_document_id",
+      "request_id",
+      "actor_id",
+      "repo_id",
+      "owner",
+      "user",
+      "old_user",
+      "action",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "repo",
+      "visibility",
+      "repo_was",
+      "actor"
+    ],
+    "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository"
+  },
+  {
+    "action": "repo.transfer_outgoing",
+    "description": "A repository was transferred to another repository network.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "new_nwo",
+      "visibility",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "public_repo",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.transfer_start",
+    "description": "A user sent a request to transfer a repository to another user or organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "_document_id",
+      "operation_type",
+      "user_id",
+      "request_id",
+      "user",
+      "action",
+      "user_agent",
+      "created_at",
+      "actor",
+      "visibility",
+      "repo_id",
+      "actor_id",
+      "repo",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.unarchived",
+    "description": "A repository was unarchived.",
+    "docs_reference_links": "/repositories/archiving-a-github-repository",
+    "fields": [
+      "actor",
+      "request_id",
+      "actor_id",
+      "repo",
+      "operation_type",
+      "created_at",
+      "_document_id",
+      "repo_id",
+      "user",
+      "@timestamp",
+      "visibility",
+      "user_agent",
+      "user_id",
+      "action",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/archiving-a-github-repository"
+  },
+  {
+    "action": "repo.update_actions_access_settings",
+    "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "policy",
+      "old_policy",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "repo.update_actions_secret",
+    "description": "A GitHub Actions secret was updated for a repository.",
+    "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "key",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Using secrets in GitHub Actions"
+  },
+  {
+    "action": "repo.update_actions_settings",
+    "description": "A repository administrator changed GitHub Actions policy settings for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "new_policy",
+      "old_policy",
+      "updated_access_policy",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repo.update_actions_variable",
+    "description": "A GitHub Actions variable was updated for a repository.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "repo.update_default_branch",
+    "description": "The default branch for a repository was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repo.update_integration_secret",
+    "description": "A Codespaces or Dependabot secret was updated for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "visibility",
+      "integration",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.update_member",
+    "description": "A user's permission to a repository was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "action",
+      "_document_id",
+      "actor",
+      "repo_id",
+      "created_at",
+      "oauth_application_id",
+      "user",
+      "@timestamp",
+      "repo",
+      "operation_type",
+      "request_id",
+      "org_id",
+      "actor_id",
+      "visibility",
+      "old_permission",
+      "org",
+      "user_id",
+      "old_base_role",
+      "old_repo_permission",
+      "old_repo_base_role",
+      "new_repo_base_role",
+      "new_repo_permission",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repository_branch_protection_evaluation.disable",
+    "description": "Branch protections were disabled for the repository.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "business_id",
+      "user",
+      "user_id",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
+  },
+  {
+    "action": "repository_branch_protection_evaluation.enable",
+    "description": "Branch protections were enabled for this repository.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "business_id",
+      "user",
+      "user_id",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
+  },
+  {
+    "action": "repository_code_security.disable",
+    "description": "Code security was disabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repository_code_security.enable",
+    "description": "Code security was enabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repository_image.create",
+    "description": "An image to represent a repository was uploaded.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "repo_id",
+      "action",
+      "request_id",
+      "actor",
+      "content_type",
+      "repo",
+      "@timestamp",
+      "_document_id",
+      "user",
+      "user_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_image.destroy",
+    "description": "An image to represent a repository was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "content_type",
+      "created_at",
+      "actor_id",
+      "user_id",
+      "operation_type",
+      "request_id",
+      "_document_id",
+      "actor",
+      "repo_id",
+      "user_agent",
+      "repo",
+      "user",
+      "action",
+      "@timestamp",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_invitation.accept",
+    "description": "An invitation to join a repository was accepted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "created_at",
+      "request_id",
+      "repo",
+      "invitee",
+      "operation_type",
+      "actor",
+      "repo_id",
+      "_document_id",
+      "action",
+      "user_agent",
+      "inviter",
+      "@timestamp",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_invitation.cancel",
+    "description": "An invitation to join a repository was canceled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "inviter",
+      "action",
+      "operation_type",
+      "_document_id",
+      "repo_id",
+      "repo",
+      "@timestamp",
+      "user_agent",
+      "invitee",
+      "created_at",
+      "request_id",
+      "actor",
+      "actor_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_invitation.create",
+    "description": "An invitation to join a repository was sent.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "invitee",
+      "action",
+      "request_id",
+      "inviter",
+      "repo",
+      "created_at",
+      "user_agent",
+      "repo_id",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_invitation.reject",
+    "description": "An invitation to join a repository was declined.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "_document_id",
+      "actor",
+      "invitee",
+      "action",
+      "@timestamp",
+      "request_id",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "inviter",
+      "user_agent",
+      "repo_id"
+    ]
+  },
+  {
+    "action": "repository_ruleset.create",
+    "description": "A repository ruleset was created.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "ruleset_id",
+      "ruleset_name",
+      "ruleset_enforcement",
+      "ruleset_source_type",
+      "ruleset_rules",
+      "ruleset_conditions",
+      "ruleset_bypass_actors",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository"
+  },
+  {
+    "action": "repository_ruleset.destroy",
+    "description": "A repository ruleset was deleted.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "ruleset_id",
+      "ruleset_name",
+      "ruleset_enforcement",
+      "ruleset_source_type",
+      "ruleset_rules",
+      "ruleset_bypass_actors",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset"
+  },
+  {
+    "action": "repository_ruleset.update",
+    "description": "A repository ruleset was edited.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "old_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "ruleset_id",
+      "ruleset_name",
+      "ruleset_enforcement",
+      "ruleset_source_type",
+      "ruleset_rules_updated",
+      "ruleset_conditions_added",
+      "ruleset_conditions_deleted",
+      "ruleset_old_enforcement",
+      "ruleset_rules_added",
+      "ruleset_rules_deleted",
+      "ruleset_old_name",
+      "ruleset_conditions_updated",
+      "ruleset_bypass_actors_added",
+      "ruleset_bypass_actors_deleted",
+      "ruleset_bypass_actors_updated",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset"
+  },
+  {
+    "action": "repository_secret_scanning_automatic_validity_checks.disabled",
+    "description": "Automatic partner validation checks have been disabled at the repository level",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository"
+  },
+  {
+    "action": "repository_secret_scanning_automatic_validity_checks.enabled",
+    "description": "Automatic partner validation checks have been enabled at the repository level",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository"
+  },
+  {
+    "action": "repository_secret_scanning_custom_pattern.create",
+    "description": "A custom pattern was created for secret scanning in a repository.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "public_repo"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "repository_secret_scanning_custom_pattern.delete",
+    "description": "A custom pattern was removed from secret scanning in a repository.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "public_repo"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "repository_secret_scanning_custom_pattern.publish",
+    "description": "A custom pattern was published for secret scanning in a repository.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "repository_secret_scanning_custom_pattern_push_protection.disabled",
+    "description": "Push protection for a custom pattern for secret scanning was disabled for your repository.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "repository_secret_scanning_custom_pattern_push_protection.enabled",
+    "description": "Push protection for a custom pattern for secret scanning was enabled for your repository.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "repository_secret_scanning_custom_pattern.update",
+    "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "public_repo"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "repository_secret_scanning.disable",
+    "description": "Secret scanning was disabled for a repository.",
+    "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "About secret scanning"
+  },
+  {
+    "action": "repository_secret_scanning.enable",
+    "description": "Secret scanning was enabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_secret_scanning_non_provider_patterns.disabled",
+    "description": "Secret scanning for non-provider patterns was disabled at the repository level.",
+    "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Supported secret scanning patterns"
+  },
+  {
+    "action": "repository_secret_scanning_non_provider_patterns.enabled",
+    "description": "Secret scanning for non-provider patterns was enabled at the repository level.",
+    "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Supported secret scanning patterns"
+  },
+  {
+    "action": "repository_secret_scanning_push_protection_bypass_list.add",
+    "description": "A role or team was added to the push protection bypass list at the repository level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "repository_secret_scanning_push_protection_bypass_list.disable",
+    "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the repository level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "repository_secret_scanning_push_protection_bypass_list.enable",
+    "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the repository level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "repository_secret_scanning_push_protection_bypass_list.remove",
+    "description": "A role or team was removed from the push protection bypass list at the repository level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "repository_secret_scanning_push_protection.disable",
+    "description": "Secret scanning push protection was disabled for a repository.",
+    "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "repository_secret_scanning_push_protection.enable",
+    "description": "Secret scanning push protection was enabled for a repository.",
+    "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "repository_security_configuration.applied",
+    "description": "A code security configuration was applied to a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "security_configuration_id",
+      "security_configuration_name",
+      "repository_security_configuration_state",
+      "repository_security_configuration_failure_reason",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_security_configuration.failed",
+    "description": "A code security configuration failed to attach to the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "security_configuration_id",
+      "security_configuration_name",
+      "repository_security_configuration_failure_reason",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_security_configuration.removed",
+    "description": "A code security configuration was removed from a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "security_configuration_id",
+      "security_configuration_name",
+      "repository_security_configuration_state",
+      "repository_security_configuration_failure_reason",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_security_configuration.removed_by_settings_change",
+    "description": "A code security configuration was removed due to a change in repository or enterprise settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "security_configuration_id",
+      "security_configuration_name",
+      "repository_security_configuration_state",
+      "repository_security_configuration_failure_reason",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alert.auto_dismiss",
+    "description": "A Dependabot alert was automatically dismissed because its metadata matches an enabled Dependabot rule.",
+    "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "alert_id",
+      "alert_number",
+      "ghsa_id",
+      "action",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "owner",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About Dependabot auto-triage rules"
+  },
+  {
+    "action": "repository_vulnerability_alert.auto_reopen",
+    "description": "A previously auto-dismissed Dependabot alert was automatically reopened because its metadata no longer matches an enabled Dependabot rule.",
+    "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "alert_id",
+      "alert_number",
+      "ghsa_id",
+      "action",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "owner",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About Dependabot auto-triage rules"
+  },
+  {
+    "action": "repository_vulnerability_alert.create",
+    "description": "GitHub created a Dependabot alert because the repository uses a vulnerable dependency.",
+    "docs_reference_links": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts",
+    "fields": [
+      "operation_type",
+      "request_id",
+      "repo_id",
+      "@timestamp",
+      "user_agent",
+      "alert_id",
+      "action",
+      "repo",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "alert_number",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts"
+  },
+  {
+    "action": "repository_vulnerability_alert.dismiss",
+    "description": "A Dependabot alert was manually dismissed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo_id",
+      "org_id",
+      "user_id",
+      "request_id",
+      "@timestamp",
+      "operation_type",
+      "user_agent",
+      "alert_id",
+      "actor",
+      "repo",
+      "created_at",
+      "org",
+      "_document_id",
+      "action",
+      "actor_id",
+      "dismiss_reason",
+      "user",
+      "dismiss_comment",
+      "alert_number",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alert.reintroduce",
+    "description": "A Dependabot alert was automatically reopened because the repository resumed use of a vulnerable dependency.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "alert_id",
+      "created_at",
+      "action",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "owner",
+      "_document_id",
+      "@timestamp",
+      "operation_type",
+      "token_scopes",
+      "alert_number"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alert.reopen",
+    "description": "A Dependabot alert was manually reopened.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "alert_id",
+      "created_at",
+      "action",
+      "repo",
+      "repo_id",
+      "owner",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "operation_type",
+      "business",
+      "business_id",
+      "public_repo",
+      "alert_number",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alert.resolve",
+    "description": "Changes were pushed to update and resolve a Dependabot alert in a project dependency.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "alert_id",
+      "repo",
+      "operation_type",
+      "action",
+      "repo_id",
+      "_document_id",
+      "user_agent",
+      "request_id",
+      "@timestamp",
+      "created_at",
+      "actor",
+      "actor_id",
+      "token_scopes",
+      "alert_number",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alert.withdraw",
+    "description": "A Dependabot alert was withdrawn.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "alert_id",
+      "alert_number",
+      "ghsa_id",
+      "created_at",
+      "active",
+      "action",
+      "repository_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "owner",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts.authorized_users_teams",
+    "description": "The list of people or teams authorized to receive Dependabot alerts for the repository was updated.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts",
+    "fields": [
+      "org",
+      "_document_id",
+      "repo",
+      "org_id",
+      "operation_type",
+      "created_at",
+      "actor",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "repo_id",
+      "request_id",
+      "actor_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts"
+  },
+  {
+    "action": "repository_vulnerability_alerts_auto_dismissal.disable",
+    "description": "Automatic dismissal of low-impact Dependabot alerts was disabled for the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts_auto_dismissal.enable",
+    "description": "Automatic dismissal of low-impact Dependabot alerts was enabled for the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts.disable",
+    "description": "Dependabot alerts was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "request_id",
+      "repo_id",
+      "action",
+      "actor_id",
+      "@timestamp",
+      "created_at",
+      "actor",
+      "user_agent",
+      "org_id",
+      "user",
+      "org",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts.enable",
+    "description": "Dependabot alerts was enabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "user_agent",
+      "created_at",
+      "@timestamp",
+      "repo_id",
+      "action",
+      "user",
+      "repo",
+      "org",
+      "org_id",
+      "actor_id",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "request_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "restrict_notification_delivery.disable",
+    "description": "Email notification restrictions for an organization or enterprise were disabled.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "business",
+      "business_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+  },
+  {
+    "action": "restrict_notification_delivery.enable",
+    "description": "Email notification restrictions for an organization or enterprise were enabled.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+  },
+  {
+    "action": "secret_scanning_alert.create",
+    "description": "GitHub detected a secret and created a secret scanning alert.",
+    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo"
+    ],
+    "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
+  },
+  {
+    "action": "secret_scanning_alert.reopen",
+    "description": "A secret scanning alert was reopened.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "secret_type_display_name"
+    ]
+  },
+  {
+    "action": "secret_scanning_alert.resolve",
+    "description": "A secret scanning alert was resolved.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "number",
+      "resolution",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "secret_scanning_alert.revoke",
+    "description": "A secret scanning alert was revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "secret_scanning_alert.validate",
+    "description": "A secret scanning alert was validated.",
+    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "created_at",
+      "previous_validity",
+      "current_validity",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo"
+    ],
+    "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
+  },
+  {
+    "action": "secret_scanning.disable",
+    "description": "Secret scanning was disabled for all existing repositories.",
+    "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "About secret scanning"
+  },
+  {
+    "action": "secret_scanning.enable",
+    "description": "Secret scanning was enabled for all existing repositories.",
+    "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "About secret scanning"
+  },
+  {
+    "action": "secret_scanning_new_repos.disable",
+    "description": "Secret scanning was disabled for all new repositories.",
+    "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes"
+    ],
+    "docs_reference_titles": "About secret scanning"
+  },
+  {
+    "action": "secret_scanning_new_repos.enable",
+    "description": "Secret scanning was enabled for all new repositories.",
+    "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "About secret scanning"
+  },
+  {
+    "action": "secret_scanning_push_protection.bypass",
+    "description": "Triggered when a user bypasses the push protection on a secret detected by secret scanning.",
+    "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "created_at",
+      "push_protection_bypass_reason",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo",
+      "request_reviewer",
+      "request_reviewer_id"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "secret_scanning_push_protection_request.approve",
+    "description": "A request to bypass secret scanning push protection was approved by a user.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "number",
+      "repository",
+      "repository_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "secret_scanning_push_protection_request.deny",
+    "description": "A request to bypass secret scanning push protection was denied by a user.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "number",
+      "repository",
+      "repository_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header",
+      "request_reviewer_comment"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "secret_scanning_push_protection_request.request",
+    "description": "A user requested to bypass secret scanning push protection.",
+    "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "number",
+      "repository",
+      "repository_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Working with secret scanning and push protection"
+  },
+  {
+    "action": "secret_scanning_scan.completed",
+    "description": "A secret scanning scan has completed on this repository.",
+    "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning",
+    "fields": [
+      "repo_id",
+      "org_id",
+      "business_id",
+      "source",
+      "type",
+      "source_slug",
+      "type_slug",
+      "started_at",
+      "completed_at",
+      "repo",
+      "public_repo",
+      "org",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "secret_types",
+      "custom_pattern_name",
+      "custom_pattern_scope"
+    ],
+    "docs_reference_titles": "About secret scanning"
+  },
+  {
+    "action": "security_configuration.create",
+    "description": "A security configuration was created",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "security_configuration_id",
+      "security_configuration_name",
+      "security_configuration_description",
+      "security_configuration_created_at",
+      "security_configuration_updated_at",
+      "security_configuration_enable_ghas",
+      "security_configuration_private_vulnerability_reporting",
+      "security_configuration_dependency_graph",
+      "security_configuration_dependabot_alerts",
+      "security_configuration_dependabot_security_updates",
+      "security_configuration_code_scanning",
+      "security_configuration_secret_scanning",
+      "security_configuration_secret_scanning_push_protection",
+      "security_configuration_secret_scanning_validity_checks",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "security_configuration_dependency_graph_autosubmit_action",
+      "security_configuration_secret_scanning_non_provider_patterns",
+      "security_configuration_secret_scanning_delegated_bypass",
+      "security_configuration_secret_scanning_generic_secrets",
+      "security_configuration_secret_scanning_delegated_alert_dismissal",
+      "security_configuration_code_scanning_delegated_alert_dismissal",
+      "security_configuration_code_security_sku_enabled",
+      "security_configuration_secret_protection_sku_enabled"
+    ]
+  },
+  {
+    "action": "security_configuration_default.delete",
+    "description": "A default security configuration setting for new repositories was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "default_for_new_private_repos",
+      "default_for_new_public_repos",
+      "security_configuration_name",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "security_configuration_default.update",
+    "description": "A default security configuration setting for new repositories was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "default_for_new_private_repos",
+      "default_for_new_public_repos",
+      "security_configuration_name",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "security_configuration.delete",
+    "description": "A security configuration was deleted",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "security_configuration_id",
+      "security_configuration_name",
+      "security_configuration_description",
+      "security_configuration_created_at",
+      "security_configuration_updated_at",
+      "security_configuration_enable_ghas",
+      "security_configuration_private_vulnerability_reporting",
+      "security_configuration_dependency_graph",
+      "security_configuration_dependabot_alerts",
+      "security_configuration_dependabot_security_updates",
+      "security_configuration_code_scanning",
+      "security_configuration_secret_scanning",
+      "security_configuration_secret_scanning_push_protection",
+      "security_configuration_secret_scanning_validity_checks",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "security_configuration_dependency_graph_autosubmit_action",
+      "security_configuration_secret_scanning_non_provider_patterns",
+      "security_configuration_secret_scanning_delegated_bypass",
+      "security_configuration_secret_scanning_delegated_alert_dismissal",
+      "security_configuration_code_scanning_delegated_alert_dismissal",
+      "security_configuration_code_security_sku_enabled",
+      "security_configuration_secret_protection_sku_enabled"
+    ]
+  },
+  {
+    "action": "security_configuration_policy.update",
+    "description": "A security configuration policy was updated",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "enforcement",
+      "security_configuration_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "security_configuration.update",
+    "description": "A security configuration was updated",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "security_configuration_id",
+      "security_configuration_name",
+      "security_configuration_description",
+      "security_configuration_created_at",
+      "security_configuration_updated_at",
+      "security_configuration_enable_ghas",
+      "security_configuration_private_vulnerability_reporting",
+      "security_configuration_dependency_graph",
+      "security_configuration_dependabot_alerts",
+      "security_configuration_dependabot_security_updates",
+      "security_configuration_code_scanning",
+      "security_configuration_secret_scanning",
+      "security_configuration_secret_scanning_push_protection",
+      "security_configuration_secret_scanning_validity_checks",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "security_configuration_dependency_graph_autosubmit_action",
+      "security_configuration_secret_scanning_non_provider_patterns",
+      "security_configuration_secret_scanning_delegated_bypass",
+      "security_configuration_secret_scanning_generic_secrets",
+      "security_configuration_secret_scanning_delegated_alert_dismissal",
+      "security_configuration_code_scanning_delegated_alert_dismissal",
+      "security_configuration_code_security_sku_enabled",
+      "security_configuration_secret_protection_sku_enabled"
+    ]
+  },
+  {
+    "action": "security_key.register",
+    "description": "A security key was registered for an account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "user",
+      "created_at",
+      "user_id",
+      "action",
+      "operation_type",
+      "request_id",
+      "@timestamp",
+      "_document_id",
+      "actor",
+      "user_agent",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "security_key.remove",
+    "description": "A security key was removed from an account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "user_id",
+      "operation_type",
+      "_document_id",
+      "user_agent",
+      "@timestamp",
+      "request_id",
+      "actor_id",
+      "action",
+      "created_at",
+      "user",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "social_identity.linked",
+    "description": "A user linked a social identity to their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user_id",
+      "action",
+      "actor_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "social_identity.unlinked",
+    "description": "A user unlinked a social identity from their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "social_identity.unlinked_all",
+    "description": "A user unlinked all social identities from their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "sponsors.agreement_sign",
+    "description": "A GitHub Sponsors agreement was signed on behalf of an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "sponsors_listing_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "sponsors.custom_amount_settings_change",
+    "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "sponsors_listing_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers"
+  },
+  {
+    "action": "sponsors.fiscal_host_change",
+    "description": "The fiscal host for a GitHub Sponsors listing was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "sponsors_listing_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "sponsors.repo_funding_links_file_action",
+    "description": "The FUNDING file in a repository was changed.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository",
+    "fields": [
+      "@timestamp",
+      "action",
+      "created_at",
+      "_document_id",
+      "request_id",
+      "repository",
+      "repository_id",
+      "actor",
+      "user_agent",
+      "actor_id",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository"
+  },
+  {
+    "action": "sponsors.sponsor_sponsorship_cancel",
+    "description": "A sponsorship was canceled.",
+    "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship",
+    "fields": [
+      "operation_type",
+      "_document_id",
+      "created_at",
+      "actor",
+      "user",
+      "action",
+      "actor_id",
+      "user_id",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Downgrading a sponsorship"
+  },
+  {
+    "action": "sponsors.sponsor_sponsorship_create",
+    "description": "A sponsorship was created, by sponsoring an account.",
+    "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes",
+    "fields": [
+      "actor",
+      "user_id",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "user",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes"
+  },
+  {
+    "action": "sponsors.sponsor_sponsorship_payment_complete",
+    "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.",
+    "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes",
+    "fields": [
+      "active",
+      "user",
+      "user_id",
+      "actor",
+      "actor_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes"
+  },
+  {
+    "action": "sponsors.sponsor_sponsorship_preference_change",
+    "description": "The option to receive email updates from a sponsored account was changed.",
+    "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship",
+    "fields": [
+      "actor_id",
+      "action",
+      "@timestamp",
+      "request_id",
+      "user_id",
+      "created_at",
+      "user",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship"
+  },
+  {
+    "action": "sponsors.sponsor_sponsorship_tier_change",
+    "description": "A sponsorship was upgraded or downgraded.",
+    "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship",
+    "fields": [
+      "user_id",
+      "actor",
+      "actor_id",
+      "action",
+      "user",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "created_at"
+    ],
+    "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship"
+  },
+  {
+    "action": "sponsors.sponsored_developer_approve",
+    "description": "A GitHub Sponsors account was approved.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account",
+    "fields": [
+      "user_id",
+      "action",
+      "user_agent",
+      "request_id",
+      "actor",
+      "user",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "actor_id",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account"
+  },
+  {
+    "action": "sponsors.sponsored_developer_create",
+    "description": "A GitHub Sponsors account was created.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account",
+    "fields": [
+      "user_id",
+      "operation_type",
+      "request_id",
+      "actor_id",
+      "@timestamp",
+      "_document_id",
+      "user",
+      "action",
+      "created_at",
+      "user_agent",
+      "actor"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account"
+  },
+  {
+    "action": "sponsors.sponsored_developer_disable",
+    "description": "A GitHub Sponsors account was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "sponsors_listing_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "sponsors.sponsored_developer_profile_update",
+    "description": "The profile for GitHub Sponsors account was edited.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors",
+    "fields": [
+      "@timestamp",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "request_id",
+      "actor",
+      "action",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors"
+  },
+  {
+    "action": "sponsors.sponsored_developer_redraft",
+    "description": "A GitHub Sponsors account was returned to draft state from approved state.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "created_at",
+      "request_id",
+      "user",
+      "action",
+      "user_agent",
+      "operation_type",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "user_id"
+    ]
+  },
+  {
+    "action": "sponsors.sponsored_developer_request_approval",
+    "description": "An application for GitHub Sponsors was submitted for approval.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account",
+    "fields": [
+      "user_agent",
+      "user",
+      "@timestamp",
+      "actor_id",
+      "user_id",
+      "request_id",
+      "_document_id",
+      "actor",
+      "action",
+      "operation_type",
+      "created_at"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account"
+  },
+  {
+    "action": "sponsors.sponsored_developer_tier_description_update",
+    "description": "The description for a sponsorship tier was changed.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers",
+    "fields": [
+      "operation_type",
+      "request_id",
+      "actor",
+      "user_id",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "actor_id",
+      "user",
+      "created_at"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers"
+  },
+  {
+    "action": "sponsors.sponsored_developer_update_newsletter_send",
+    "description": "Triggered when you send an email update to your sponsors.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors",
+    "fields": [
+      "request_id",
+      "actor",
+      "action",
+      "user_agent",
+      "operation_type",
+      "_document_id",
+      "created_at",
+      "actor_id",
+      "user",
+      "user_id",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors"
+  },
+  {
+    "action": "sponsors.sponsors_patreon_user_create",
+    "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "patreon_email",
+      "patreon_username",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account"
+  },
+  {
+    "action": "sponsors.sponsors_patreon_user_destroy",
+    "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.",
+    "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "patreon_email",
+      "patreon_username",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Unlinking your Patreon account from GitHub"
+  },
+  {
+    "action": "sponsors.update_tier_repository",
+    "description": "A GitHub Sponsors tier changed access for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "sponsors_listing_id",
+      "repo",
+      "repo_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "sponsors.update_tier_welcome_message",
+    "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "sponsors_listing_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "sponsors.waitlist_join",
+    "description": "You join the waitlist to join GitHub Sponsors.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account",
+    "fields": [
+      "request_id",
+      "actor",
+      "user_id",
+      "user_agent",
+      "actor_id",
+      "action",
+      "operation_type",
+      "created_at",
+      "user",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account"
+  },
+  {
+    "action": "sponsors.withdraw_agreement_signature",
+    "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "sponsors_listing_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "ssh_certificate_authority.create",
+    "description": "An SSH certificate authority for an organization or enterprise was created.",
+    "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise",
+    "fields": [
+      "@timestamp",
+      "_document_id",
+      "fingerprint",
+      "operation_type",
+      "openssh_public_key",
+      "org_id",
+      "actor",
+      "created_at",
+      "org",
+      "action",
+      "user_agent",
+      "actor_id",
+      "request_id"
+    ],
+    "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise"
+  },
+  {
+    "action": "ssh_certificate_authority.destroy",
+    "description": "An SSH certificate authority for an organization or enterprise was deleted.",
+    "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise",
+    "fields": [
+      "created_at",
+      "_document_id",
+      "fingerprint",
+      "operation_type",
+      "actor",
+      "org_id",
+      "openssh_public_key",
+      "org",
+      "action",
+      "user_agent",
+      "actor_id",
+      "@timestamp",
+      "request_id"
+    ],
+    "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise"
+  },
+  {
+    "action": "ssh_certificate_requirement.disable",
+    "description": "The requirement for members to use SSH certificates to access an organization resources was disabled.",
+    "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise",
+    "fields": [
+      "user",
+      "user_agent",
+      "operation_type",
+      "_document_id",
+      "request_id",
+      "org",
+      "org_id",
+      "created_at",
+      "actor",
+      "action",
+      "user_id",
+      "business",
+      "business_id",
+      "@timestamp",
+      "actor_id"
+    ],
+    "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise"
+  },
+  {
+    "action": "ssh_certificate_requirement.enable",
+    "description": "The requirement for members to use SSH certificates to access an organization resources was enabled.",
+    "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise",
+    "fields": [
+      "actor_id",
+      "user_id",
+      "org",
+      "operation_type",
+      "request_id",
+      "@timestamp",
+      "_document_id",
+      "actor",
+      "user",
+      "action",
+      "org_id",
+      "created_at",
+      "user_agent"
+    ],
+    "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise"
+  },
+  {
+    "action": "staff.set_domain_token_expiration",
+    "description": "The verification code expiry time for an organization or enterprise domain was set.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner_type",
+      "domain_name",
+      "business_id",
+      "token_expires_at",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "staff.unverify_domain",
+    "description": "An organization or enterprise domain was unverified.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "owner_type",
+      "domain_name",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "staff.verify_domain",
+    "description": "An organization or enterprise domain was verified.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "domain_name",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "successor_invitation.accept",
+    "description": "Triggered when you accept a succession invitation.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Maintaining ownership continuity of your personal account's repositories"
+  },
+  {
+    "action": "successor_invitation.cancel",
+    "description": "Triggered when you cancel a succession invitation.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Maintaining ownership continuity of your personal account's repositories"
+  },
+  {
+    "action": "successor_invitation.create",
+    "description": "Triggered when you create a succession invitation.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Maintaining ownership continuity of your personal account's repositories"
+  },
+  {
+    "action": "successor_invitation.decline",
+    "description": "Triggered when you decline a succession invitation.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Maintaining ownership continuity of your personal account's repositories"
+  },
+  {
+    "action": "successor_invitation.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "successor_invitation.revoke",
+    "description": "Triggered when you revoke a succession invitation.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Maintaining ownership continuity of your personal account's repositories"
+  },
+  {
+    "action": "team.add_member",
+    "description": "A member of an organization was added to a team.",
+    "docs_reference_links": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "org_id",
+      "user_id",
+      "team",
+      "user",
+      "@timestamp",
+      "actor_id",
+      "created_at",
+      "operation_type",
+      "_document_id",
+      "org",
+      "action",
+      "actor",
+      "programmatic_access_type",
+      "team_type"
+    ],
+    "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team"
+  },
+  {
+    "action": "team.add_repository",
+    "description": "A team was given access and permissions to a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "team",
+      "action",
+      "operation_type",
+      "request_id",
+      "created_at",
+      "@timestamp",
+      "org",
+      "repo",
+      "actor_id",
+      "_document_id",
+      "repo_id",
+      "user_agent",
+      "org_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "team.add_to_organization",
+    "description": "A team was added to an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "team_type",
+      "team",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "team.change_parent_team",
+    "description": "A child team was created or a child team's parent was changed.",
+    "docs_reference_links": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy",
+    "fields": [
+      "org",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "team",
+      "action",
+      "operation_type",
+      "actor",
+      "request_id",
+      "actor_id",
+      "user_agent",
+      "org_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy"
+  },
+  {
+    "action": "team.change_privacy",
+    "description": "A team's privacy level was changed.",
+    "docs_reference_links": "/organizations/organizing-members-into-teams/changing-team-visibility",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "org",
+      "action",
+      "team",
+      "created_at",
+      "operation_type",
+      "actor_id",
+      "org_id",
+      "@timestamp",
+      "actor",
+      "_document_id",
+      "team_type"
+    ],
+    "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility"
+  },
+  {
+    "action": "team.create",
+    "description": "A new team is created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor_id",
+      "oauth_application_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "org_id",
+      "user_agent",
+      "team",
+      "org",
+      "actor",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "team_type"
+    ]
+  },
+  {
+    "action": "team.demote_maintainer",
+    "description": "A user was demoted from a team maintainer to a team member.",
+    "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "team",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes"
+    ],
+    "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member"
+  },
+  {
+    "action": "team.destroy",
+    "description": "A team was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "org",
+      "team",
+      "org_id",
+      "actor_id",
+      "actor",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "operation_type",
+      "_document_id",
+      "programmatic_access_type",
+      "team_type"
+    ]
+  },
+  {
+    "action": "team_discussions.clear",
+    "description": "An organization owner cleared the setting to allow team discussions for an organization or enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "business_id",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "actor",
+      "actor_id",
+      "user",
+      "business",
+      "action",
+      "request_id",
+      "created_at",
+      "user_id",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "team_discussions.disable",
+    "description": "Team discussions were disabled for an organization.",
+    "docs_reference_links": "/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization",
+    "fields": [
+      "org_id",
+      "action",
+      "operation_type",
+      "request_id",
+      "actor",
+      "org",
+      "created_at",
+      "actor_id",
+      "user",
+      "user_id",
+      "@timestamp",
+      "user_agent",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Organizations and teams documentation"
+  },
+  {
+    "action": "team_discussions.enable",
+    "description": "Team discussions were enabled for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "@timestamp",
+      "action",
+      "_document_id",
+      "user_agent",
+      "user_id",
+      "business_id",
+      "request_id",
+      "user",
+      "business",
+      "operation_type",
+      "actor",
+      "created_at"
+    ]
+  },
+  {
+    "action": "team.promote_maintainer",
+    "description": "A user was promoted from a team member to a team maintainer.",
+    "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "team",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer"
+  },
+  {
+    "action": "team.remove_from_organization",
+    "description": "A team was removed from an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "team_type",
+      "team",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "team.remove_member",
+    "description": "An organization member was removed from a team.",
+    "docs_reference_links": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team",
+    "fields": [
+      "request_id",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "org",
+      "org_id",
+      "team",
+      "user_id",
+      "actor",
+      "user",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "team_type"
+    ],
+    "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team"
+  },
+  {
+    "action": "team.remove_repository",
+    "description": "A repository was removed from a team's control.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "org_id",
+      "repo",
+      "repo_id",
+      "action",
+      "_document_id",
+      "actor",
+      "@timestamp",
+      "actor_id",
+      "user_agent",
+      "created_at",
+      "team",
+      "org",
+      "operation_type",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "team.rename",
+    "description": "A team's name was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "name",
+      "user_agent",
+      "created_at",
+      "team",
+      "operation_type",
+      "actor_id",
+      "org",
+      "action",
+      "request_id",
+      "actor",
+      "org_id",
+      "@timestamp",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header",
+      "team_type"
+    ]
+  },
+  {
+    "action": "team_sync_tenant.disabled",
+    "description": "Team synchronization with a tenant was disabled.",
+    "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise",
+    "fields": [
+      "action",
+      "created_at",
+      "actor",
+      "request_id",
+      "org_id",
+      "actor_id",
+      "operation_type",
+      "_document_id",
+      "@timestamp",
+      "org",
+      "user_agent"
+    ],
+    "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise"
+  },
+  {
+    "action": "team_sync_tenant.enabled",
+    "description": "Team synchronization with a tenant was enabled.",
+    "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise",
+    "fields": [
+      "org_id",
+      "business_id",
+      "actor",
+      "created_at",
+      "user_agent",
+      "@timestamp",
+      "operation_type",
+      "business",
+      "actor_id",
+      "org",
+      "request_id",
+      "action",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise"
+  },
+  {
+    "action": "team.update_repository_permission",
+    "description": "A team's permission to a repository was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "team",
+      "org_id",
+      "@timestamp",
+      "org",
+      "_document_id",
+      "old_permission",
+      "request_id",
+      "repo",
+      "action",
+      "repo_id",
+      "actor",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "permission",
+      "new_repo_permission",
+      "new_repo_base_role",
+      "old_repo_permission",
+      "old_repo_base_role",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "trusted_device.register",
+    "description": "A new trusted device was added.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "trusted_device.remove",
+    "description": "A trusted device was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "two_factor_account_recovery.abort",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "action",
+      "request_id",
+      "user_id",
+      "@timestamp",
+      "_document_id",
+      "user",
+      "user_agent",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "two_factor_account_recovery.complete",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "@timestamp",
+      "created_at",
+      "user_id",
+      "operation_type",
+      "user",
+      "_document_id",
+      "user_agent",
+      "action"
+    ]
+  },
+  {
+    "action": "two_factor_account_recovery.ignore",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "created_at",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "user",
+      "action"
+    ]
+  },
+  {
+    "action": "two_factor_account_recovery.staff_approve",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "request_id",
+      "user",
+      "user_id",
+      "user_agent",
+      "operation_type",
+      "action",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "two_factor_account_recovery.staff_decline",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "actor",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "operation_type",
+      "user",
+      "created_at",
+      "request_id",
+      "actor_id",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "two_factor_account_recovery.start",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "created_at",
+      "user_id",
+      "action",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "two_factor_account_recovery.two_factor_destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "user_id",
+      "action",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "user",
+      "_document_id",
+      "request_id"
+    ]
+  },
+  {
+    "action": "two_factor_authentication.add_factor",
+    "description": "A secondary authentication factor was added to a user account.",
+    "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication"
+  },
+  {
+    "action": "two_factor_authentication.disabled",
+    "description": "Two-factor authentication was disabled for a user account.",
+    "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account",
+    "fields": [
+      "actor",
+      "action",
+      "_document_id",
+      "user_agent",
+      "user",
+      "user_id",
+      "actor_id",
+      "created_at",
+      "operation_type",
+      "request_id",
+      "@timestamp",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Disabling two-factor authentication for your personal account"
+  },
+  {
+    "action": "two_factor_authentication.enabled",
+    "description": "Two-factor authentication was enabled for a user account.",
+    "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication",
+    "fields": [
+      "actor",
+      "operation_type",
+      "user_agent",
+      "action",
+      "created_at",
+      "actor_id",
+      "@timestamp",
+      "request_id",
+      "user",
+      "user_id",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Configuring two-factor authentication"
+  },
+  {
+    "action": "two_factor_authentication.password_reset_fallback_sms",
+    "description": "A one-time password code was sent to a user account fallback phone number.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "created_at",
+      "user",
+      "user_id",
+      "action",
+      "@timestamp",
+      "request_id",
+      "_document_id",
+      "user_agent"
+    ]
+  },
+  {
+    "action": "two_factor_authentication.recovery_codes_regenerated",
+    "description": "Two factor recovery codes were regenerated for a user account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor",
+      "operation_type",
+      "_document_id",
+      "user_id",
+      "action",
+      "user",
+      "user_agent",
+      "actor_id",
+      "@timestamp",
+      "created_at"
+    ]
+  },
+  {
+    "action": "two_factor_authentication.remove_factor",
+    "description": "A secondary authentication factor was removed from a user account.",
+    "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication"
+  },
+  {
+    "action": "two_factor_authentication.sign_in_fallback_sms",
+    "description": "A one-time password code was sent to a user account fallback phone number.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "operation_type",
+      "user_id",
+      "user",
+      "user_agent",
+      "created_at",
+      "_document_id",
+      "action",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "two_factor_authentication.update_fallback",
+    "description": "The two-factor authentication fallback for a user account was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "user",
+      "user_id",
+      "operation_type",
+      "user_agent",
+      "action",
+      "request_id",
+      "actor",
+      "actor_id"
+    ]
+  },
+  {
+    "action": "user.add_email",
+    "description": "An email address was added to a user account.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account",
+    "fields": [
+      "action",
+      "request_id",
+      "user",
+      "user_id",
+      "user_agent",
+      "operation_type",
+      "_document_id",
+      "actor_id",
+      "actor",
+      "email",
+      "@timestamp",
+      "created_at",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Adding an email address to your GitHub account"
+  },
+  {
+    "action": "user.async_delete",
+    "description": "An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "user_id",
+      "created_at",
+      "user",
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "actor_id",
+      "operation_type",
+      "user_agent",
+      "action",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.audit_log_export",
+    "description": "Audit log entries were exported.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "user",
+      "action",
+      "request_id",
+      "actor",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "user_id",
+      "operation_type",
+      "created_at"
+    ]
+  },
+  {
+    "action": "user.block_user",
+    "description": "A user was blocked by another user.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "actor",
+      "user_id",
+      "_document_id",
+      "actor_id",
+      "@timestamp",
+      "user_agent",
+      "user",
+      "request_id",
+      "blocked_user",
+      "operation_type",
+      "created_at",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.change_password",
+    "description": "A user changed their password.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "actor_id",
+      "operation_type",
+      "actor",
+      "user",
+      "user_id",
+      "action",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.codespaces_trusted_repo_access_granted",
+    "description": "Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.",
+    "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Managing access to other repositories within your codespace"
+  },
+  {
+    "action": "user.codespaces_trusted_repo_access_revoked",
+    "description": "Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.",
+    "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Managing access to other repositories within your codespace"
+  },
+  {
+    "action": "user_content_edit.delete",
+    "description": "Triggered when a user content edit is deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor",
+      "user_content_id",
+      "user_content_type",
+      "created_at",
+      "user_agent",
+      "deleted_by",
+      "editor_id",
+      "_document_id",
+      "deleted_at",
+      "action",
+      "actor_id",
+      "editor",
+      "deleted_by_id",
+      "deleted_content",
+      "operation_type",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "user.correct_password_from_unrecognized_device",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "user_agent",
+      "created_at",
+      "user",
+      "action",
+      "operation_type",
+      "request_id",
+      "user_id",
+      "@timestamp",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.correct_password_from_unrecognized_device_and_location",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "operation_type",
+      "request_id",
+      "user_id",
+      "action",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.correct_password_from_unrecognized_location",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "request_id",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "user_id",
+      "@timestamp",
+      "user",
+      "action",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.create",
+    "description": "A new user account was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "email",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "request_id",
+      "user",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "actor_id",
+      "action",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "user.create_integration_secret",
+    "description": "A user secret for Codespaces was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.creation_rate_limit_exceeded",
+    "description": "The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "created_at",
+      "user_agent",
+      "_document_id",
+      "operation_type",
+      "oauth_application_id",
+      "action",
+      "actor",
+      "actor_id",
+      "request_id",
+      "user_id",
+      "@timestamp",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "user.delete",
+    "description": "A user account was destroyed by an asynchronous job.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "action",
+      "request_id",
+      "user_id",
+      "actor",
+      "actor_id",
+      "user",
+      "@timestamp",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.demote",
+    "description": "A site administrator was demoted to an ordinary user account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "oauth_application_id",
+      "action",
+      "user",
+      "created_at",
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "operation_type",
+      "_document_id",
+      "user_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.destroy",
+    "description": "A user deleted his or her account, triggering user.async_delete.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor",
+      "user",
+      "_document_id",
+      "created_at",
+      "user_agent",
+      "user_id",
+      "operation_type",
+      "actor_id",
+      "action",
+      "@timestamp",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.device_verification_failure",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor",
+      "created_at",
+      "_document_id",
+      "@timestamp",
+      "user",
+      "user_agent",
+      "user_id",
+      "actor_id",
+      "action",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.device_verification_requested",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "user_id",
+      "actor",
+      "operation_type",
+      "created_at",
+      "_document_id",
+      "@timestamp",
+      "user",
+      "actor_id",
+      "action",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.device_verification_success",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "user",
+      "_document_id",
+      "action",
+      "operation_type",
+      "user_agent",
+      "created_at",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.disable_collaborators_only",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "user.disable_contributors_only",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "user.disable_sockpuppet_disallowed",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "user_email.confirm_claim",
+    "description": "An enterprise managed user claimed an email address.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user_email.mark_as_unclaimed",
+    "description": "N/A",
+    "docs_reference_links": "An enterprise managed user unclaimed an email address.",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "An, GitHub Help Documentation, managed, user, unclaimed, an, email, address."
+  },
+  {
+    "action": "user.enable_collaborators_only",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "user.enable_contributors_only",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "user.enable_sockpuppet_disallowed",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "user.failed_login",
+    "description": "A user tried to sign in with an incorrect username, password, or two-factor authentication code.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "action",
+      "operation_type",
+      "request_id",
+      "created_at",
+      "_document_id",
+      "@timestamp",
+      "user",
+      "org_id",
+      "actor",
+      "actor_id",
+      "user_agent"
+    ]
+  },
+  {
+    "action": "user.flag_as_large_scale_contributor",
+    "description": "A user account was flagged as a large scale contributor. Only contributions from public repositories the user owns will be shown in their contribution graph, in order to prevent timeouts.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "operation_type",
+      "@timestamp",
+      "request_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "user_agent",
+      "created_at"
+    ]
+  },
+  {
+    "action": "user.forgot_password",
+    "description": "A user requested a password reset.",
+    "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials",
+    "fields": [
+      "action",
+      "_document_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "operation_type",
+      "@timestamp",
+      "email",
+      "created_at",
+      "user_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials"
+  },
+  {
+    "action": "user.grant_github_developer",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "action",
+      "created_at",
+      "user_agent",
+      "@timestamp",
+      "_document_id",
+      "user",
+      "user_id",
+      "actor",
+      "operation_type",
+      "request_id"
+    ]
+  },
+  {
+    "action": "user.hide_private_contributions_count",
+    "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Manage visibility settings for private contributions"
+  },
+  {
+    "action": "user.login",
+    "description": "A user signed in.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "user_id",
+      "actor_id",
+      "@timestamp",
+      "user",
+      "action",
+      "operation_type",
+      "_document_id",
+      "request_id",
+      "created_at",
+      "actor",
+      "passkey_nickname",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.logout",
+    "description": "A user signed out.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.minimize_comment",
+    "description": "A comment made by a user was minimized.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "_document_id",
+      "user",
+      "user_id",
+      "action",
+      "request_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "user.new_device_used",
+    "description": "A user signed in from a new device.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "user_id",
+      "actor",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "actor_id",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.partial_two_factor_email_followup",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "operation_type",
+      "_document_id",
+      "action",
+      "@timestamp",
+      "created_at",
+      "user",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.promote",
+    "description": "An ordinary user account was promoted to a site administrator.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "action",
+      "actor",
+      "actor_id",
+      "user",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "oauth_application_id",
+      "request_id",
+      "operation_type",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.recreate",
+    "description": "A user's account was restored.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "user",
+      "action",
+      "actor_id",
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "user_id",
+      "created_at",
+      "actor",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "user.remove_email",
+    "description": "An email address was removed from a user account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "user",
+      "user_id",
+      "operation_type",
+      "actor",
+      "actor_id",
+      "created_at",
+      "email",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "user.remove_integration_secret",
+    "description": "A user secret for Codespaces was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.remove_large_scale_contributor_flag",
+    "description": "A user account was no longer flagged as a large scale contributor.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "user.rename",
+    "description": "A username was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "action",
+      "request_id",
+      "actor_id",
+      "old_login",
+      "created_at",
+      "_document_id",
+      "actor",
+      "user_id",
+      "@timestamp",
+      "operation_type",
+      "user_agent",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "user.report_abuse",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "user_agent",
+      "request_id",
+      "action",
+      "@timestamp",
+      "created_at",
+      "org_id",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "user",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "user.report_content",
+    "description": "Triggered when you report an issue or pull request, or a comment on an issue, pull request, or commit.",
+    "docs_reference_links": "/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam",
+    "fields": [
+      "org_id",
+      "request_id",
+      "user",
+      "user_agent",
+      "action",
+      "created_at",
+      "actor",
+      "operation_type",
+      "actor_id",
+      "user_id",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/communities/maintaining-your-safety-on-github/reporting-abuse-or-spam"
+  },
+  {
+    "action": "user.reset_password",
+    "description": "A user reset their account password.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "action",
+      "user_agent",
+      "user",
+      "request_id",
+      "user_id",
+      "created_at",
+      "@timestamp",
+      "_document_id",
+      "actor",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user_session.country_change",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "request_id",
+      "user_id",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_agent",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "user.show_private_contributions_count",
+    "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile",
+    "fields": [
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "user_id",
+      "action",
+      "actor",
+      "user",
+      "operation_type",
+      "user_agent",
+      "actor_id",
+      "created_at",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Manage visibility settings for private contributions"
+  },
+  {
+    "action": "user.sign_in_from_unrecognized_device",
+    "description": "A user signed in from an unrecognized device.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "action",
+      "_document_id",
+      "user_agent",
+      "user",
+      "user_id",
+      "operation_type",
+      "created_at",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.sign_in_from_unrecognized_device_and_location",
+    "description": "A user signed in from an unrecognized device and location.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "@timestamp",
+      "user_agent",
+      "created_at",
+      "_document_id",
+      "request_id",
+      "action",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.sign_in_from_unrecognized_location",
+    "description": "A user signed in from an unrecognized location.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "user_id",
+      "action",
+      "operation_type",
+      "user_agent",
+      "user",
+      "_document_id",
+      "actor",
+      "created_at",
+      "actor_id",
+      "@timestamp",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user_status.destroy",
+    "description": "Triggered when you clear the status on your profile.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org",
+      "user_id",
+      "actor",
+      "message",
+      "user",
+      "actor_id",
+      "created_at",
+      "request_id",
+      "limited_availability",
+      "action",
+      "emoji",
+      "operation_type",
+      "user_agent",
+      "@timestamp",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user_status.update",
+    "description": "Triggered when you set or change the status on your profile.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status",
+    "fields": [
+      "limited_availability",
+      "user",
+      "action",
+      "actor_id",
+      "message",
+      "user_id",
+      "created_at",
+      "_document_id",
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "emoji",
+      "org",
+      "actor",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Personalize your profile"
+  },
+  {
+    "action": "user.suspend",
+    "description": "A user account was suspended.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "oauth_application_id",
+      "operation_type",
+      "actor_id",
+      "user",
+      "user_agent",
+      "request_id",
+      "actor",
+      "created_at",
+      "_document_id",
+      "@timestamp",
+      "user_id",
+      "action",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.toggle_warn_private_email",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "user",
+      "actor_id",
+      "@timestamp",
+      "operation_type",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "action",
+      "user_id",
+      "created_at",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.two_factor_challenge_failure",
+    "description": "A 2FA challenge issued for a user account failed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "user",
+      "actor_id",
+      "actor",
+      "user_id",
+      "@timestamp",
+      "action",
+      "request_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.two_factor_challenge_success",
+    "description": "A 2FA challenge issued for a user account succeeded.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "actor_id",
+      "user",
+      "actor",
+      "user_agent",
+      "request_id",
+      "action",
+      "created_at",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.two_factor_recover",
+    "description": "A user used their 2FA recovery codes.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "operation_type",
+      "user_agent",
+      "request_id",
+      "user",
+      "action",
+      "actor",
+      "actor_id",
+      "created_at",
+      "@timestamp",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.two_factor_recovery_codes_downloaded",
+    "description": "A user downloaded 2FA recovery codes for their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "operation_type",
+      "actor_id",
+      "user",
+      "request_id",
+      "action",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "actor",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.two_factor_recovery_codes_printed",
+    "description": "A user printed 2FA recovery codes for their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "action",
+      "operation_type",
+      "user_agent",
+      "request_id",
+      "user_id",
+      "created_at",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "user.two_factor_recovery_codes_viewed",
+    "description": "A user viewed 2FA recovery codes for their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "user_agent",
+      "actor",
+      "user_id",
+      "action",
+      "created_at",
+      "user",
+      "operation_type",
+      "@timestamp",
+      "request_id",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.two_factor_requested",
+    "description": "A user was prompted for a two-factor authentication code.",
+    "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication",
+    "fields": [
+      "user",
+      "actor_id",
+      "action",
+      "user_agent",
+      "request_id",
+      "created_at",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "actor"
+    ],
+    "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication"
+  },
+  {
+    "action": "user.unblock_user",
+    "description": "A user was unblocked by another user.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "action",
+      "request_id",
+      "_document_id",
+      "blocked_user",
+      "operation_type",
+      "actor",
+      "@timestamp",
+      "user_agent",
+      "user_id",
+      "user",
+      "created_at",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.unminimize_comment",
+    "description": "A comment made by a user was unminimized.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "user_agent",
+      "_document_id",
+      "actor_id",
+      "user",
+      "user_id",
+      "operation_type",
+      "request_id",
+      "actor",
+      "action",
+      "created_at"
+    ]
+  },
+  {
+    "action": "user.unsuspend",
+    "description": "A user account was unsuspended.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "_document_id",
+      "user",
+      "action",
+      "user_agent",
+      "actor",
+      "oauth_application_id",
+      "operation_type",
+      "actor_id",
+      "created_at",
+      "@timestamp",
+      "user_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.update_integration_secret",
+    "description": "A user secret for Codespaces was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.update_new_repository_default_branch_setting",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.create",
+    "description": "A Dependabot rule was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.delete",
+    "description": "A Dependabot rule was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.disable",
+    "description": "A Dependabot rule was disabled for a single repository or disabled by default for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.enable",
+    "description": "A Dependabot rule was enabled for a single repository or enabled by default for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.force_disable",
+    "description": "A Dependabot rule was enabled for an organization and cannot be disabled for its repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.force_enable",
+    "description": "A Dependabot rule was disabled for an organization and cannot be enabled for its repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.update",
+    "description": "A Dependabot rule's conditions, actions, or metadata changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "workflows.approve_workflow_job",
+    "description": "A workflow job was approved.",
+    "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "workflow_run_id",
+      "run_number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Reviewing deployments"
+  },
+  {
+    "action": "workflows.bypass_protection_rules",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "workflow_run_id",
+      "run_number",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "workflows.cancel_workflow_run",
+    "description": "A workflow run was cancelled.",
+    "docs_reference_links": "/actions/managing-workflow-runs/canceling-a-workflow",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "started_at",
+      "event",
+      "name",
+      "workflow_run_id",
+      "head_branch",
+      "head_sha",
+      "run_number",
+      "cancelled_at",
+      "workflow_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "business",
+      "business_id",
+      "trigger_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Canceling a workflow run"
+  },
+  {
+    "action": "workflows.comment_workflow_job",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "token_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "workflow_run_id",
+      "run_number",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "workflows.completed_workflow_run",
+    "description": "A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "started_at",
+      "event",
+      "name",
+      "workflow_run_id",
+      "head_branch",
+      "head_sha",
+      "completed_at",
+      "conclusion",
+      "run_number",
+      "workflow_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "business",
+      "business_id",
+      "trigger_id",
+      "run_attempt",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Viewing workflow run history"
+  },
+  {
+    "action": "workflows.created_workflow_run",
+    "description": "A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "started_at",
+      "event",
+      "name",
+      "workflow_run_id",
+      "head_branch",
+      "head_sha",
+      "workflow_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "business",
+      "business_id",
+      "trigger_id",
+      "public_repo",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Understanding GitHub Actions"
+  },
+  {
+    "action": "workflows.delete_workflow_run",
+    "description": "A workflow run was deleted.",
+    "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "workflow_run_id",
+      "started_at",
+      "head_branch",
+      "head_sha",
+      "trigger_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Deleting a workflow run"
+  },
+  {
+    "action": "workflows.disable_workflow",
+    "description": "A workflow was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "workflow_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "workflows.enable_workflow",
+    "description": "A workflow was enabled, after previously being disabled by disable_workflow.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "workflow_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "workflows.pin_workflow",
+    "description": "A workflow was pinned.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "workflow_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "workflows.prepared_workflow_job",
+    "description": "A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/using-workflows/events-that-trigger-workflows",
+    "fields": [
+      "repo_id",
+      "repo",
+      "org_id",
+      "org",
+      "business_id",
+      "business",
+      "workflow_run_id",
+      "job_name",
+      "runner_labels",
+      "is_hosted_runner",
+      "environment_name",
+      "secrets_passed",
+      "action",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "@timestamp",
+      "runner_owner_type",
+      "job_workflow_ref",
+      "calling_workflow_refs",
+      "calling_workflow_shas",
+      "imposer_repo"
+    ],
+    "docs_reference_titles": "Events that trigger workflows"
+  },
+  {
+    "action": "workflows.reject_workflow_job",
+    "description": "A workflow job was rejected.",
+    "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "workflow_run_id",
+      "run_number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Reviewing deployments"
+  },
+  {
+    "action": "workflows.rerun_workflow_run",
+    "description": "A workflow run was re-run.",
+    "docs_reference_links": "/actions/managing-workflow-runs/re-running-workflows-and-jobs",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "started_at",
+      "event",
+      "name",
+      "workflow_run_id",
+      "head_branch",
+      "head_sha",
+      "run_number",
+      "workflow_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "business",
+      "business_id",
+      "trigger_id",
+      "run_attempt",
+      "rerun_type",
+      "check_run_id",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Re-running workflows and jobs"
+  },
+  {
+    "action": "workflows.unpin_workflow",
+    "description": "A workflow was unpinned after previously being pinned.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "workflow_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  }
+]
\ No newline at end of file
diff --git a/src/audit-logs/data/ghes-3.19/organization.json b/src/audit-logs/data/ghes-3.19/organization.json
new file mode 100644
index 000000000000..21e7f1ad0f2d
--- /dev/null
+++ b/src/audit-logs/data/ghes-3.19/organization.json
@@ -0,0 +1,17575 @@
+[
+  {
+    "action": "account.billing_date_change",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org",
+      "@timestamp",
+      "operation_type",
+      "user_agent",
+      "_document_id",
+      "created_at",
+      "action",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org_id"
+    ]
+  },
+  {
+    "action": "account.plan_change",
+    "description": "The account's plan changed.",
+    "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans",
+    "fields": [
+      "actor",
+      "operation_type",
+      "_document_id",
+      "user_agent",
+      "created_at",
+      "actor_id",
+      "request_id",
+      "@timestamp",
+      "user",
+      "action",
+      "user_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "How GitHub billing works"
+  },
+  {
+    "action": "actions_cache.delete",
+    "description": "A GitHub Actions cache was deleted using the REST API.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "user_id",
+      "user",
+      "repo_id",
+      "repo",
+      "org",
+      "org_id",
+      "actions_cache_id",
+      "actions_cache_key",
+      "actions_cache_version",
+      "actions_cache_scope",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "advisory_credit.accept",
+    "description": "Credit was accepted for a security advisory.",
+    "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "ghsa_id",
+      "repo",
+      "repo_id",
+      "recipient",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/editing-a-repository-security-advisory"
+  },
+  {
+    "action": "advisory_credit.create",
+    "description": "Someone was added to the credit section of a security advisory.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "ghsa_id",
+      "repo",
+      "repo_id",
+      "recipient",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "advisory_credit.decline",
+    "description": "Credit was declined for a security advisory.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "ghsa_id",
+      "repo",
+      "repo_id",
+      "recipient",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo"
+    ]
+  },
+  {
+    "action": "advisory_credit.destroy",
+    "description": "Someone was removed from the credit section of a security advisory.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "ghsa_id",
+      "repo",
+      "repo_id",
+      "recipient",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo"
+    ]
+  },
+  {
+    "action": "artifact.destroy",
+    "description": "A workflow run artifact was manually deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "actor",
+      "user_agent",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "request_id",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "operation_type",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "auto_approve_personal_access_token_requests.disable",
+    "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources. See also: personal_access_token.auto_approve_grant_requests_disabled",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization"
+  },
+  {
+    "action": "auto_approve_personal_access_token_requests.enable",
+    "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval. See also: personal_access_token.auto_approve_grant_requests_enabled",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization"
+  },
+  {
+    "action": "billing.budget_create",
+    "description": "A billing budget was created for a business or organization. Includes details about the budget limit, alerting preferences, and recipients.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "pricing_target_type",
+      "pricing_target_id",
+      "budget_limit_type",
+      "alert_recipient_user_ids"
+    ]
+  },
+  {
+    "action": "billing.budget_delete",
+    "description": "A billing budget was deleted for a business or organization. Includes details about the removed budget and any alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "uuid",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "billing.budget_update",
+    "description": "A billing budget was updated for a business or organization. Includes details about the updated limit and alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header",
+      "old_target_amount",
+      "old_budget_limit_type",
+      "old_alert_enabled",
+      "old_target_id"
+    ]
+  },
+  {
+    "action": "billing.change_billing_type",
+    "description": "The way the account pays for GitHub was changed.",
+    "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method",
+    "fields": [
+      "actor_id",
+      "user",
+      "@timestamp",
+      "actor",
+      "user_id",
+      "action",
+      "created_at",
+      "operation_type",
+      "_document_id",
+      "user_agent",
+      "request_id"
+    ],
+    "docs_reference_titles": "Managing your payment and billing information"
+  },
+  {
+    "action": "billing.change_email",
+    "description": "The billing email address changed.",
+    "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email",
+    "fields": [
+      "actor",
+      "operation_type",
+      "actor_id",
+      "org_id",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "created_at",
+      "_document_id",
+      "org",
+      "email",
+      "action",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing your payment and billing information"
+  },
+  {
+    "action": "billing_customer.azure_subscription_linked",
+    "description": "Azure subscription has been linked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "billing_customer.azure_subscription_unlinked",
+    "description": "Azure subscription has been unlinked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "billing.lock",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "oauth_application_id",
+      "@timestamp",
+      "actor_id",
+      "operation_type",
+      "_document_id",
+      "request_id",
+      "actor",
+      "user",
+      "user_id",
+      "user_agent",
+      "created_at",
+      "action"
+    ]
+  },
+  {
+    "action": "billing.unlock",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "user",
+      "operation_type",
+      "user_agent",
+      "created_at",
+      "user_id",
+      "request_id",
+      "actor",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "checks.auto_trigger_disabled",
+    "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.",
+    "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites",
+    "fields": [
+      "visibility",
+      "user_agent",
+      "user",
+      "@timestamp",
+      "repo",
+      "actor_id",
+      "user_id",
+      "action",
+      "created_at",
+      "actor",
+      "operation_type",
+      "request_id",
+      "repo_id",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites"
+  },
+  {
+    "action": "checks.auto_trigger_enabled",
+    "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.",
+    "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo"
+    ],
+    "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites"
+  },
+  {
+    "action": "checks.delete_logs",
+    "description": "Logs in a check suite were deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "actor",
+      "actor_id",
+      "operation_type",
+      "repo_id",
+      "action",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "code_scanning.alert_appeared_in_branch",
+    "description": "Existing code scanning alerts appeared in a branch.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "repo_id",
+      "alert_number",
+      "commit_oid",
+      "ref",
+      "request_id",
+      "org_id",
+      "org",
+      "business_id",
+      "business",
+      "alert_numbers"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_closed_became_fixed",
+    "description": "Code scanning alerts were fixed.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "repo_id",
+      "alert_number",
+      "commit_oid",
+      "ref",
+      "request_id",
+      "org_id",
+      "org",
+      "business_id",
+      "business",
+      "alert_numbers"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_closed_became_outdated",
+    "description": "Code scanning alerts were closed as outdated (all configurations they were detected in were deleted).",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "repo_id",
+      "alert_numbers",
+      "commit_oid",
+      "ref",
+      "request_id",
+      "org_id",
+      "org",
+      "business_id",
+      "business"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_closed_by_user",
+    "description": "Code scanning alerts were manually dismissed.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "repo_id",
+      "alert_number",
+      "actor_id",
+      "request_id",
+      "actor",
+      "org_id",
+      "org",
+      "business_id",
+      "business",
+      "alert_numbers",
+      "dismissal_approver_id"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_closure_approved",
+    "description": "Dismissal of code scanning alerts was approved.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "dismissal_request_id",
+      "alert_number",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_closure_denied",
+    "description": "Dismissal of code scanning alerts was denied.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "dismissal_request_id",
+      "alert_number",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_closure_requested",
+    "description": "Dismissal of code scanning alerts was requested.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "dismissal_request_id",
+      "alert_number",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_created",
+    "description": "Code scanning alerts were seen for the first time.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "repo_id",
+      "alert_number",
+      "commit_oid",
+      "ref",
+      "request_id",
+      "org_id",
+      "org",
+      "alert_numbers"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_reappeared",
+    "description": "Code scanning alerts that were previously fixed reappeared.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "repo_id",
+      "alert_number",
+      "commit_oid",
+      "ref",
+      "request_id",
+      "org_id",
+      "org",
+      "business_id",
+      "business",
+      "alert_numbers"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "code_scanning.alert_reopened_by_user",
+    "description": "Code scanning alerts that were previously dismissed were reopened.",
+    "docs_reference_links": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning",
+    "fields": [
+      "repo_id",
+      "alert_number",
+      "actor_id",
+      "request_id",
+      "actor",
+      "org_id",
+      "org",
+      "business_id",
+      "business",
+      "alert_numbers"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning"
+  },
+  {
+    "action": "codespaces.allow_permissions",
+    "description": "A codespace using custom permissions from its devcontainer.json file was launched.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "origin_repository",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "codespaces.attempted_to_create_from_prebuild",
+    "description": "An attempt to create a codespace from a prebuild was made.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "owner",
+      "pull_request_id",
+      "repository",
+      "repository_id",
+      "user_id",
+      "user",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "codespaces.business_enablement_updated",
+    "description": "Enterprise setting for Codespaces ownership was updated.",
+    "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "enablement",
+      "organization_names",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization"
+  },
+  {
+    "action": "codespaces.connect",
+    "description": "Credentials for a codespace were refreshed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repository_id",
+      "repository",
+      "pull_request_id",
+      "user_id",
+      "org_id",
+      "owner",
+      "name",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "machine_type",
+      "devcontainer_path"
+    ]
+  },
+  {
+    "action": "codespaces.create",
+    "description": "A codespace was created",
+    "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repository_id",
+      "repository",
+      "pull_request_id",
+      "owner",
+      "name",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "machine_type",
+      "devcontainer_path"
+    ],
+    "docs_reference_titles": "Creating a codespace for a repository"
+  },
+  {
+    "action": "codespaces.destroy",
+    "description": "A user deleted a codespace.",
+    "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repository_id",
+      "repository",
+      "pull_request_id",
+      "owner",
+      "name",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Deleting a codespace"
+  },
+  {
+    "action": "codespaces.export_environment",
+    "description": "A codespace was exported to a branch on GitHub.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "owner",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "public_repo"
+    ]
+  },
+  {
+    "action": "codespaces.policy_group_created",
+    "description": "Policies were applied to codespaces in an organization or enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "codespaces.policy_group_deleted",
+    "description": "Policies were removed from codespaces in an organization or enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "codespaces.policy_group_updated",
+    "description": "Policies were updated for codespaces in an organization or enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "codespaces.restore",
+    "description": "A codespace was restored.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "codespaces.start_environment",
+    "description": "A codespace was started.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "org",
+      "owner",
+      "pull_request_id",
+      "machine_type",
+      "user_id",
+      "user",
+      "devcontainer_path",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "codespaces.suspend_environment",
+    "description": "A codespace was stopped.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "codespaces.trusted_repositories_access_update",
+    "description": "A personal account's access and security setting for Codespaces were updated.",
+    "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "business",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Managing access to other repositories within your codespace"
+  },
+  {
+    "action": "commit_comment.destroy",
+    "description": "A commit comment was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "repo",
+      "org",
+      "org_id",
+      "created_at",
+      "@timestamp",
+      "operation_type",
+      "repo_id",
+      "actor_id",
+      "request_id",
+      "_document_id",
+      "user_agent",
+      "action",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "commit_comment.update",
+    "description": "A commit comment was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "repo_id",
+      "actor",
+      "org",
+      "request_id",
+      "action",
+      "@timestamp",
+      "repo",
+      "org_id",
+      "actor_id",
+      "created_at",
+      "user_agent",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "copilot.access_revoked",
+    "description": "Copilot access was revoked for the organization or enterprise due to its Copilot subscription ending, an issue with billing the entity, the entity being marked spammy, or the entity being suspended.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "reason",
+      "plan",
+      "org_id",
+      "owner",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "copilot.cfb_org_settings_changed",
+    "description": "Copilot feature settings were changed at the organization level.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_added",
+    "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "token_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_assignment_created",
+    "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.",
+    "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "What is GitHub Copilot?"
+  },
+  {
+    "action": "copilot.cfb_seat_assignment_refreshed",
+    "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_assignment_reused",
+    "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_assignment_unassigned",
+    "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_cancelled",
+    "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "seat_assignment",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_cancelled_by_staff",
+    "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user_id",
+      "user",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_management_changed",
+    "description": "The seat management setting was changed at the organization level to either enable or disable Copilot access for all members of the organization, or to enable Copilot access for selected members or teams.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "old_value",
+      "new_value",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "copilot.content_exclusion_changed",
+    "description": "The excluded paths for GitHub Copilot were updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "excluded_paths",
+      "owner_type",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "copilot.custom_instructions_created",
+    "description": "Copilot custom instructions were created for the organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "custom_instructions"
+    ]
+  },
+  {
+    "action": "copilot.custom_instructions_updated",
+    "description": "Copilot custom instructions were updated for the organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "custom_instructions"
+    ]
+  },
+  {
+    "action": "copilot.knowledge_base_created",
+    "description": "A knowledge base was created in the organization.",
+    "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "knowledge_base_name",
+      "org_id",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Creating and managing GitHub Copilot knowledge bases"
+  },
+  {
+    "action": "copilot.knowledge_base_deleted",
+    "description": "A knowledge base was deleted from the organization.",
+    "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "knowledge_base_name",
+      "org_id",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Creating and managing GitHub Copilot knowledge bases"
+  },
+  {
+    "action": "copilot.knowledge_base_updated",
+    "description": "A knowledge base was updated in the organization.",
+    "docs_reference_links": "copilot/github-copilot-enterprise/copilot-chat-in-github/managing-copilot-knowledge-bases",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "knowledge_base_name",
+      "org_id",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Creating and managing GitHub Copilot knowledge bases"
+  },
+  {
+    "action": "copilot.plan_changed",
+    "description": "The plan for GitHub Copilot was updated.",
+    "docs_reference_links": "/billing/managing-billing-for-github-copilot/about-billing-for-github-copilot",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "old_plan",
+      "plan",
+      "business_id",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "GitHub Copilot billing"
+  },
+  {
+    "action": "copilot.plan_downgrade_scheduled",
+    "description": "The plan for GitHub Copilot was scheduled to be downgraded.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org_id",
+      "owner",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "current_plan",
+      "scheduled_plan"
+    ]
+  },
+  {
+    "action": "copilot.swe_agent_mcp_config_updated",
+    "description": "MCP Configuration for Copilot coding agent was updated for a specific repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "new_config",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "copilot.swe_agent_repo_disabled",
+    "description": "Specific repositories were disabled from using Copilot coding agent.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "org_id",
+      "owner_type",
+      "actor_id",
+      "owner",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "copilot.swe_agent_repo_enabled",
+    "description": "Specific repositories were enabled to use Copilot coding agent.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "org_id",
+      "owner_type",
+      "owner",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "copilot.swe_agent_repo_enablement_updated",
+    "description": "Copilot coding agent access was updated for the organization's or user's repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "new_access",
+      "old_access",
+      "org_id",
+      "owner_type",
+      "owner",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "custom_hosted_runner.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "runner_group_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "custom_hosted_runner.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "custom_hosted_runner.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "runner_group_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "custom_property_definition.create",
+    "description": "A new custom property definition was created.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "property_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "value_type",
+      "required",
+      "default_value",
+      "definition_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization"
+  },
+  {
+    "action": "custom_property_definition.destroy",
+    "description": "A custom property definition was deleted.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "property_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "value_type",
+      "required",
+      "default_value",
+      "definition_id",
+      "allowed_values"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization"
+  },
+  {
+    "action": "custom_property_definition.update",
+    "description": "A custom property definition was updated.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "property_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "value_type",
+      "required",
+      "default_value",
+      "old_allowed_values",
+      "allowed_values",
+      "definition_id",
+      "old_required",
+      "old_default_value",
+      "old_value_type",
+      "old_values_editable_by",
+      "values_editable_by",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization"
+  },
+  {
+    "action": "custom_property_value.create",
+    "description": "A repository's custom property value was manually set for the first time.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "definition_id",
+      "property_name",
+      "value",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization"
+  },
+  {
+    "action": "custom_property_value.destroy",
+    "description": "A repository's custom property value was deleted.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repository",
+      "repository_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization"
+  },
+  {
+    "action": "custom_property_value.update",
+    "description": "A repository's custom property value was updated.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repository",
+      "repository_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "definition_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization"
+  },
+  {
+    "action": "dependabot_alerts.disable",
+    "description": "Dependabot alerts were disabled for all existing repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories"
+  },
+  {
+    "action": "dependabot_alerts.enable",
+    "description": "Dependabot alerts were enabled for all existing repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories"
+  },
+  {
+    "action": "dependabot_alerts_new_repos.disable",
+    "description": "Dependabot alerts were disabled for all new repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added"
+  },
+  {
+    "action": "dependabot_alerts_new_repos.enable",
+    "description": "Dependabot alerts were enabled for all new repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added"
+  },
+  {
+    "action": "dependabot_repository_access.default_access_level_updated",
+    "description": "The default repository access for Dependabot was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "org",
+      "org_id",
+      "access_level",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "dependabot_repository_access.repositories_updated",
+    "description": "The repositories that Dependabot can access were updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "dependabot_security_updates.disable",
+    "description": "Dependabot security updates were disabled for all existing repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization"
+  },
+  {
+    "action": "dependabot_security_updates.enable",
+    "description": "Dependabot security updates were enabled for all existing repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "dependabot_security_updates_new_repos.disable",
+    "description": " Dependabot security updates were disabled for all new repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization"
+  },
+  {
+    "action": "dependabot_security_updates_new_repos.enable",
+    "description": "Dependabot security updates were enabled for all new repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "dependency_graph.disable",
+    "description": "The dependency graph was disabled for all existing repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization"
+  },
+  {
+    "action": "dependency_graph.enable",
+    "description": "The dependency graph was enabled for all existing repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "dependency_graph_new_repos.disable",
+    "description": "The dependency graph was disabled for all new repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization"
+  },
+  {
+    "action": "dependency_graph_new_repos.enable",
+    "description": "The dependency graph was enabled for all new repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "discussion_comment.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "org",
+      "repo_id",
+      "request_id",
+      "action",
+      "actor",
+      "org_id",
+      "_document_id",
+      "actor_id",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "discussion_comment.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo_id",
+      "@timestamp",
+      "actor",
+      "user_agent",
+      "request_id",
+      "org",
+      "_document_id",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "repo",
+      "org_id",
+      "action",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "discussion.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo_id",
+      "user_agent",
+      "actor_id",
+      "org_id",
+      "actor",
+      "org",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "request_id",
+      "title",
+      "_document_id",
+      "created_at",
+      "repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "discussion_post.destroy",
+    "description": "Triggered when a team discussion post is deleted.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment",
+    "fields": [
+      "request_id",
+      "team",
+      "created_at",
+      "user_id",
+      "@timestamp",
+      "number",
+      "org",
+      "title",
+      "actor",
+      "actor_id",
+      "user",
+      "action",
+      "user_agent",
+      "operation_type",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment"
+  },
+  {
+    "action": "discussion_post_reply.destroy",
+    "description": "Triggered when a reply to a team discussion post is deleted.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment",
+    "fields": [
+      "actor_id",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "operation_type",
+      "user_id",
+      "actor",
+      "number",
+      "user",
+      "created_at",
+      "request_id",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#deleting-a-comment"
+  },
+  {
+    "action": "discussion_post_reply.update",
+    "description": "Triggered when a reply to a team discussion post is edited.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment",
+    "fields": [
+      "action",
+      "_document_id",
+      "request_id",
+      "org",
+      "@timestamp",
+      "actor_id",
+      "operation_type",
+      "user",
+      "user_id",
+      "org_id",
+      "user_agent",
+      "actor",
+      "number",
+      "team",
+      "created_at"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment"
+  },
+  {
+    "action": "discussion_post.update",
+    "description": "Triggered when a team discussion post is edited.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment",
+    "fields": [
+      "created_at",
+      "_document_id",
+      "title",
+      "user",
+      "user_agent",
+      "org",
+      "operation_type",
+      "actor_id",
+      "@timestamp",
+      "actor",
+      "team",
+      "action",
+      "org_id",
+      "request_id",
+      "user_id",
+      "number"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/managing-disruptive-comments#editing-a-comment"
+  },
+  {
+    "action": "enterprise_announcement.create",
+    "description": "A global announcement banner was created for the enterprise.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise#creating-a-global-announcement-banner",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "owner",
+      "owner_type",
+      "business_id",
+      "message",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Customizing user messages for your enterprise"
+  },
+  {
+    "action": "enterprise_announcement.destroy",
+    "description": "A global announcement banner was removed from the enterprise.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "owner",
+      "owner_type",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Customizing user messages for your enterprise"
+  },
+  {
+    "action": "enterprise_announcement.update",
+    "description": "A global announcement banner was updated for the enterprise.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/communicating-information-to-users-in-your-enterprise/customizing-user-messages-for-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "owner",
+      "owner_type",
+      "business_id",
+      "message",
+      "old_message",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Customizing user messages for your enterprise"
+  },
+  {
+    "action": "enterprise_installation.create",
+    "description": "The GitHub App associated with a GitHub Connect connection was created.",
+    "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect",
+    "fields": [
+      "created_at",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "org_id",
+      "action",
+      "request_id",
+      "org",
+      "actor_id",
+      "user_agent",
+      "actor"
+    ],
+    "docs_reference_titles": "Enabling GitHub Connect for GitHub.com"
+  },
+  {
+    "action": "enterprise_installation.destroy",
+    "description": "The GitHub App associated with a GitHub Connect connection was deleted.",
+    "docs_reference_links": "/admin/configuration/configuring-github-connect/managing-github-connect",
+    "fields": [
+      "created_at",
+      "_document_id",
+      "action",
+      "@timestamp",
+      "actor_id",
+      "actor",
+      "user_agent",
+      "org",
+      "operation_type",
+      "request_id",
+      "org_id"
+    ],
+    "docs_reference_titles": "Enabling GitHub Connect for GitHub.com"
+  },
+  {
+    "action": "environment.add_protection_rule",
+    "description": "A GitHub Actions deployment protection rule was created via the API.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "environment_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "environment.create_actions_secret",
+    "description": "A secret was created for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "key",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.create_actions_variable",
+    "description": "A variable was created for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "environment_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "environment.delete",
+    "description": "An environment was deleted.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.remove_actions_secret",
+    "description": "A secret was deleted for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "key",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "public_repo",
+      "token_scopes",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.remove_actions_variable",
+    "description": "A variable was deleted for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "environment_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "environment.remove_protection_rule",
+    "description": "A GitHub Actions deployment protection rule was deleted via the API.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.update_actions_secret",
+    "description": "A secret was updated for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "key",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.update_actions_variable",
+    "description": "A variable was updated for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "environment_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "environment.update_protection_rule",
+    "description": "A GitHub Actions deployment protection rule was updated via the API.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "new_value",
+      "approvers_was",
+      "approvers",
+      "programmatic_access_type",
+      "can_admins_bypass",
+      "prevent_self_review"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "git.clone",
+    "description": "A repository was cloned. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "transport_protocol",
+      "request_id",
+      "repository",
+      "repository_id",
+      "repository_public",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "user",
+      "user_id",
+      "transport_protocol_name"
+    ]
+  },
+  {
+    "action": "git.fetch",
+    "description": "Changes were fetched from a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "transport_protocol",
+      "request_id",
+      "repository",
+      "repository_id",
+      "repository_public",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "user",
+      "user_id",
+      "transport_protocol_name"
+    ]
+  },
+  {
+    "action": "git.push",
+    "description": "Changes were pushed to a repository. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "transport_protocol",
+      "request_id",
+      "repository",
+      "repository_id",
+      "repository_public",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "user",
+      "user_id",
+      "transport_protocol_name"
+    ]
+  },
+  {
+    "action": "github_hosted_runner.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "runner_group_id",
+      "business",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "github_hosted_runner.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "github_hosted_runner.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "runner_group_id",
+      "business",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "hook.active_changed",
+    "description": "A hook's active status was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "name",
+      "events",
+      "active",
+      "active_was",
+      "hook_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "hook.config_changed",
+    "description": "A hook's configuration was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "actor",
+      "name",
+      "org",
+      "user_agent",
+      "request_id",
+      "hook_id",
+      "repo",
+      "repo_id",
+      "created_at",
+      "oauth_application_id",
+      "action",
+      "events",
+      "org_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "hook.create",
+    "description": "A new hook was added.",
+    "docs_reference_links": "/get-started/exploring-integrations/about-webhooks",
+    "fields": [
+      "oauth_application",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "repo_id",
+      "request_id",
+      "hook_id",
+      "events",
+      "repo",
+      "@timestamp",
+      "operation_type",
+      "name",
+      "action",
+      "created_at",
+      "org_id",
+      "org",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "About webhooks"
+  },
+  {
+    "action": "hook.destroy",
+    "description": "A hook was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "events",
+      "repo",
+      "created_at",
+      "org",
+      "name",
+      "request_id",
+      "actor_id",
+      "repo_id",
+      "org_id",
+      "action",
+      "operation_type",
+      "oauth_application_id",
+      "user_agent",
+      "hook_id",
+      "@timestamp",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "hook.events_changed",
+    "description": "A hook's configured events were changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "events",
+      "repo",
+      "operation_type",
+      "action",
+      "_document_id",
+      "actor_id",
+      "name",
+      "events_were",
+      "@timestamp",
+      "created_at",
+      "hook_id",
+      "repo_id",
+      "org_id",
+      "org",
+      "user_agent",
+      "request_id",
+      "oauth_application_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "integration.create",
+    "description": "A GitHub App was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "actor",
+      "user_agent",
+      "actor_id",
+      "request_id",
+      "name",
+      "user_id",
+      "_document_id",
+      "integration",
+      "created_at",
+      "programmatic_access_type",
+      "request_access_security_header",
+      "application_client_id"
+    ]
+  },
+  {
+    "action": "integration.destroy",
+    "description": "A GitHub App was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "user_id",
+      "actor_id",
+      "request_id",
+      "@timestamp",
+      "name",
+      "integration",
+      "user",
+      "_document_id",
+      "action",
+      "operation_type",
+      "created_at",
+      "user_agent"
+    ]
+  },
+  {
+    "action": "integration.generate_client_secret",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "integration",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header",
+      "application_client_id"
+    ]
+  },
+  {
+    "action": "integration_installation.create",
+    "description": "A GitHub App was installed.",
+    "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps",
+    "fields": [
+      "operation_type",
+      "@timestamp",
+      "name",
+      "request_id",
+      "repository_selection",
+      "user_id",
+      "action",
+      "user_agent",
+      "user",
+      "created_at",
+      "integration",
+      "_document_id",
+      "programmatic_access_type",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps"
+  },
+  {
+    "action": "integration_installation.destroy",
+    "description": "A GitHub App was uninstalled.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access",
+    "fields": [
+      "@timestamp",
+      "request_id",
+      "actor",
+      "created_at",
+      "_document_id",
+      "repository_selection",
+      "integration",
+      "user_id",
+      "user",
+      "action",
+      "operation_type",
+      "name",
+      "actor_id",
+      "user_agent",
+      "programmatic_access_type",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access"
+  },
+  {
+    "action": "integration_installation.repositories_added",
+    "description": "Repositories were added to a GitHub App.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access",
+    "fields": [
+      "user_id",
+      "repository_selection",
+      "name",
+      "user",
+      "request_id",
+      "integration",
+      "operation_type",
+      "actor_id",
+      "action",
+      "repositories_added",
+      "created_at",
+      "_document_id",
+      "@timestamp",
+      "actor",
+      "user_agent",
+      "token_scopes",
+      "repositories_added_names",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access"
+  },
+  {
+    "action": "integration_installation.repositories_removed",
+    "description": "Repositories were removed from a GitHub App.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access",
+    "fields": [
+      "user",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "repository_selection",
+      "repositories_removed",
+      "integration",
+      "user_id",
+      "created_at",
+      "_document_id",
+      "request_id",
+      "@timestamp",
+      "name",
+      "action",
+      "actor_id",
+      "repositories_removed_names",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access"
+  },
+  {
+    "action": "integration_installation_request.close",
+    "description": "A request to install a GitHub App was either approved or denied by an owner, or canceled by the member who opened the request.",
+    "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner",
+    "fields": [
+      "url",
+      "actor",
+      "actor_id",
+      "created_at",
+      "request_id",
+      "operation_type",
+      "@timestamp",
+      "integration",
+      "action",
+      "user_agent",
+      "reason",
+      "_document_id",
+      "org",
+      "org_id",
+      "request_access_security_header",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner"
+  },
+  {
+    "action": "integration_installation_request.create",
+    "description": "A member requested that an owner install a GitHub App.",
+    "docs_reference_links": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner",
+    "fields": [
+      "@timestamp",
+      "actor_id",
+      "org",
+      "_document_id",
+      "requester",
+      "action",
+      "user_agent",
+      "created_at",
+      "url",
+      "org_id",
+      "request_id",
+      "operation_type",
+      "actor",
+      "integration",
+      "request_access_security_header",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/requesting-a-github-app-from-your-organization-owner"
+  },
+  {
+    "action": "integration_installation.suspend",
+    "description": "A GitHub App was suspended.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "name",
+      "repository_selection",
+      "actor_id",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access"
+  },
+  {
+    "action": "integration_installation.unsuspend",
+    "description": "A GitHub App was unsuspended.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "name",
+      "repository_selection",
+      "actor_id",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access"
+  },
+  {
+    "action": "integration_installation.version_updated",
+    "description": "Permissions for a GitHub App were updated.",
+    "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app",
+    "fields": [
+      "integration",
+      "user_id",
+      "user_agent",
+      "name",
+      "user",
+      "operation_type",
+      "actor_id",
+      "action",
+      "_document_id",
+      "request_id",
+      "created_at",
+      "repository_selection",
+      "@timestamp",
+      "actor",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app"
+  },
+  {
+    "action": "integration.manager_added",
+    "description": "A member of an enterprise or organization was added as a GitHub App manager.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization",
+    "fields": [
+      "created_at",
+      "action",
+      "_document_id",
+      "name",
+      "org_id",
+      "manager",
+      "operation_type",
+      "actor",
+      "integration",
+      "org",
+      "@timestamp",
+      "actor_id",
+      "request_id",
+      "user_agent"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization"
+  },
+  {
+    "action": "integration.manager_removed",
+    "description": "A member of an enterprise or organization was removed from being a GitHub App manager.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor_id",
+      "org",
+      "operation_type",
+      "integration",
+      "org_id",
+      "_document_id",
+      "action",
+      "actor",
+      "name",
+      "created_at",
+      "manager",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization"
+  },
+  {
+    "action": "integration.remove_client_secret",
+    "description": "A client secret for a GitHub App was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "integration.revoke_all_tokens",
+    "description": "All user tokens for a GitHub App were requested to be revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "application_client_id"
+    ]
+  },
+  {
+    "action": "integration.revoke_tokens",
+    "description": "Token(s) for a GitHub App were revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "application_client_id"
+    ]
+  },
+  {
+    "action": "integration.suspend",
+    "description": "A GitHub App was suspended.",
+    "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation"
+  },
+  {
+    "action": "integration.transfer",
+    "description": "Ownership of a GitHub App was transferred to another user or organization.",
+    "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app",
+    "fields": [
+      "@timestamp",
+      "user_id",
+      "name",
+      "transfer_to_id",
+      "user",
+      "requester",
+      "action",
+      "requester_id",
+      "actor_id",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "transfer_to",
+      "operation_type",
+      "request_id",
+      "actor",
+      "integration",
+      "transfer_from",
+      "transfer_from_id",
+      "transfer_from_type",
+      "transfer_to_type"
+    ],
+    "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app"
+  },
+  {
+    "action": "integration.unsuspend",
+    "description": "A GitHub App was unsuspended.",
+    "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation"
+  },
+  {
+    "action": "ip_allow_list.disable",
+    "description": "An IP allow list was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "actor",
+      "request_id",
+      "org",
+      "user_agent",
+      "_document_id",
+      "user_id",
+      "actor_id",
+      "created_at",
+      "org_id",
+      "action",
+      "@timestamp",
+      "user"
+    ]
+  },
+  {
+    "action": "ip_allow_list.disable_for_installed_apps",
+    "description": "An IP allow list was disabled for installed GitHub Apps.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "ip_allow_list.enable",
+    "description": "An IP allow list was enabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "business",
+      "user_id",
+      "request_id",
+      "actor",
+      "user",
+      "business_id",
+      "_document_id",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "actor_id",
+      "operation_type",
+      "org",
+      "created_at"
+    ]
+  },
+  {
+    "action": "ip_allow_list.enable_for_installed_apps",
+    "description": "An IP allow list was enabled for installed GitHub Apps.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "ip_allow_list_entry.create",
+    "description": "An IP address was added to an IP allow list.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "active",
+      "org",
+      "ip_allow_list_entry",
+      "@timestamp",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "action",
+      "request_id",
+      "actor_id",
+      "business_id",
+      "org_id",
+      "business",
+      "actor",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "ip_allow_list_entry.destroy",
+    "description": "An IP address was deleted from an IP allow list.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "request_id",
+      "ip_allow_list_entry",
+      "org",
+      "operation_type",
+      "created_at",
+      "active",
+      "action",
+      "@timestamp",
+      "business",
+      "business_id",
+      "user_agent",
+      "org_id",
+      "actor",
+      "actor_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "ip_allow_list_entry.update",
+    "description": "An IP address or its description was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "_document_id",
+      "actor",
+      "org",
+      "action",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "actor_id",
+      "ip_allow_list_entry",
+      "active",
+      "org_id",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "issue_comment.destroy",
+    "description": "A comment on an issue was deleted from the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "org",
+      "repo",
+      "actor_id",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "action",
+      "operation_type",
+      "user_agent",
+      "repo_id",
+      "actor",
+      "request_id",
+      "oauth_application_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "issue_comment.update",
+    "description": "A comment on an issue (other than the initial one) changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "org",
+      "action",
+      "repo_id",
+      "org_id",
+      "created_at",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "_document_id",
+      "actor_id",
+      "actor",
+      "oauth_application_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocked_by_add",
+    "description": "An issue was marked as blocked by another issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocked_by_remove",
+    "description": "The blocked by relationship between an issue and another issue was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "org",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocking_add",
+    "description": "An issue was marked as blocking another issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocking_remove",
+    "description": "The blocking relationship between an issue and another issue was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue.destroy",
+    "description": "An issue was deleted from the repository.",
+    "docs_reference_links": "/issues/tracking-your-work-with-issues/deleting-an-issue",
+    "fields": [
+      "user",
+      "actor_id",
+      "created_at",
+      "title",
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "actor",
+      "user_id",
+      "action",
+      "operation_type",
+      "user_agent",
+      "repo",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Deleting an issue"
+  },
+  {
+    "action": "issue.pinned",
+    "description": "An issue was pinned to a repository.",
+    "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository",
+    "fields": [
+      "_document_id",
+      "user_agent",
+      "actor_id",
+      "created_at",
+      "action",
+      "actor",
+      "operation_type",
+      "owner_type",
+      "@timestamp",
+      "repo_id",
+      "request_id",
+      "number",
+      "repo",
+      "event",
+      "user",
+      "user_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Pinning an issue to your repository"
+  },
+  {
+    "action": "issue.transfer",
+    "description": "An issue was transferred to another repository.",
+    "docs_reference_links": "/issues/tracking-your-work-with-issues/transferring-an-issue-to-another-repository",
+    "fields": [
+      "user",
+      "user_id",
+      "@timestamp",
+      "user_agent",
+      "owner_type",
+      "actor_id",
+      "number",
+      "repo",
+      "operation_type",
+      "_document_id",
+      "repo_id",
+      "action",
+      "request_id",
+      "created_at",
+      "actor",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Transferring an issue to another repository"
+  },
+  {
+    "action": "issue_type.create",
+    "description": "An issue type was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "issue_type_name",
+      "description",
+      "color",
+      "enabled",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_type.destroy",
+    "description": "An issue type was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "issue_type_name",
+      "description",
+      "color",
+      "enabled",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_type.update",
+    "description": "An issue type was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "issue_type_name",
+      "description",
+      "color",
+      "enabled",
+      "old_issue_type_name",
+      "old_description",
+      "old_color",
+      "old_enabled",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue.unpinned",
+    "description": "An issue was unpinned from a repository.",
+    "docs_reference_links": "/issues/tracking-your-work-with-issues/pinning-an-issue-to-your-repository",
+    "fields": [
+      "event",
+      "user_agent",
+      "actor_id",
+      "repo_id",
+      "actor",
+      "action",
+      "created_at",
+      "request_id",
+      "repo",
+      "operation_type",
+      "_document_id",
+      "number",
+      "owner_type",
+      "@timestamp",
+      "user",
+      "user_id",
+      "token_scopes",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Pinning an issue to your repository"
+  },
+  {
+    "action": "issues.deletes_disabled",
+    "description": "The ability for enterprise members to delete issues was disabled  Members cannot delete issues in any organizations in an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues",
+    "fields": [
+      "user_agent",
+      "action",
+      "@timestamp",
+      "operation_type",
+      "request_id",
+      "actor_id",
+      "user_id",
+      "created_at",
+      "_document_id",
+      "actor",
+      "user",
+      "org",
+      "org_id"
+    ],
+    "docs_reference_titles": "Enforcing repository management policies in your enterprise"
+  },
+  {
+    "action": "issues.deletes_enabled",
+    "description": "The ability for enterprise members to delete issues was enabled  Members can delete issues in any organizations in an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues",
+    "fields": [
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "request_id",
+      "actor",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Enforcing repository management policies in your enterprise"
+  },
+  {
+    "action": "issues.deletes_policy_cleared",
+    "description": "An enterprise owner cleared the policy setting for allowing members to delete issues in an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-deleting-issues",
+    "fields": [
+      "user",
+      "request_id",
+      "actor",
+      "business_id",
+      "action",
+      "operation_type",
+      "user_agent",
+      "created_at",
+      "@timestamp",
+      "_document_id",
+      "business",
+      "user_id",
+      "actor_id"
+    ],
+    "docs_reference_titles": "Enforcing repository management policies in your enterprise"
+  },
+  {
+    "action": "marketplace_agreement_signature.create",
+    "description": "The GitHub Marketplace Developer Agreement was signed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "operation_type",
+      "created_at",
+      "action",
+      "user",
+      "user_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "marketplace_listing.approve",
+    "description": "A listing was approved for inclusion in GitHub Marketplace.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "secondary_category",
+      "actor",
+      "primary_category",
+      "user",
+      "@timestamp",
+      "_document_id",
+      "user_id",
+      "user_agent",
+      "operation_type",
+      "created_at",
+      "request_id",
+      "actor_id",
+      "marketplace_listing",
+      "integration",
+      "action"
+    ]
+  },
+  {
+    "action": "marketplace_listing.change_category",
+    "description": "A category for a listing for an app in GitHub Marketplace was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "primary_category",
+      "user_agent",
+      "request_id",
+      "actor",
+      "marketplace_listing",
+      "@timestamp",
+      "integration",
+      "org_id",
+      "action",
+      "org",
+      "secondary_category",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "marketplace_listing.create",
+    "description": "A listing for an app in GitHub Marketplace was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "primary_category",
+      "_document_id",
+      "user",
+      "created_at",
+      "user_agent",
+      "oauth_application",
+      "action",
+      "request_id",
+      "marketplace_listing",
+      "user_id",
+      "secondary_category",
+      "oauth_application_id",
+      "actor",
+      "actor_id",
+      "operation_type",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "marketplace_listing.delist",
+    "description": "A listing was removed from GitHub Marketplace.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org",
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org_id",
+      "created_at",
+      "secondary_category",
+      "operation_type",
+      "marketplace_listing",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "primary_category",
+      "integration"
+    ]
+  },
+  {
+    "action": "marketplace_listing.redraft",
+    "description": "A listing was sent back to draft state.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "secondary_category",
+      "oauth_application_id",
+      "@timestamp",
+      "action",
+      "user_agent",
+      "user_id",
+      "operation_type",
+      "oauth_application",
+      "actor",
+      "created_at",
+      "marketplace_listing",
+      "request_id",
+      "actor_id",
+      "primary_category",
+      "user"
+    ]
+  },
+  {
+    "action": "marketplace_listing.reject",
+    "description": "A listing was not accepted for inclusion in GitHub Marketplace.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "primary_category",
+      "secondary_category",
+      "marketplace_listing",
+      "oauth_application",
+      "oauth_application_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "members_can_create_pages.disable",
+    "description": "The ability for members to publish GitHub Pages sites was disabled.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization"
+  },
+  {
+    "action": "members_can_create_pages.enable",
+    "description": "The ability for members to publish GitHub Pages sites was enabled.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization"
+  },
+  {
+    "action": "members_can_create_private_pages.disable",
+    "description": "The ability for members to publish private GitHub Pages was disabled  Members cannot publish private GitHub Pages in an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization"
+  },
+  {
+    "action": "members_can_create_private_pages.enable",
+    "description": "The ability for members to publish private GitHub Pages was enabled  Members can publish private GitHub Pages in an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization"
+  },
+  {
+    "action": "members_can_create_public_pages.disable",
+    "description": "The ability for members to publish public GitHub Pages was disabled  Members cannot publish public GitHub Pages in an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization"
+  },
+  {
+    "action": "members_can_create_public_pages.enable",
+    "description": "The ability for members to publish public GitHub Pages was enabled  Members can publish public GitHub Pages in an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-publication-of-github-pages-sites-for-your-organization"
+  },
+  {
+    "action": "members_can_delete_repos.clear",
+    "description": "An enterprise owner cleared the policy setting for deleting or transferring repositories in any organizations in an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer",
+    "fields": [
+      "_document_id",
+      "request_id",
+      "user",
+      "user_id",
+      "business",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "actor_id",
+      "business_id",
+      "@timestamp",
+      "created_at",
+      "action"
+    ],
+    "docs_reference_titles": "Enforcing repository management policies in your enterprise"
+  },
+  {
+    "action": "members_can_delete_repos.disable",
+    "description": "The ability for enterprise members to delete repositories was disabled  Members cannot delete or transfer repositories in any organizations in an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer",
+    "fields": [
+      "request_id",
+      "org",
+      "_document_id",
+      "actor_id",
+      "user",
+      "user_id",
+      "user_agent",
+      "actor",
+      "operation_type",
+      "org_id",
+      "action",
+      "@timestamp",
+      "created_at"
+    ],
+    "docs_reference_titles": "Enforcing repository management policies in your enterprise"
+  },
+  {
+    "action": "members_can_delete_repos.enable",
+    "description": "The ability for enterprise members to delete repositories was enabled  Members can delete or transfer repositories in any organizations in an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-repository-deletion-and-transfer",
+    "fields": [
+      "action",
+      "org_id",
+      "user_id",
+      "business",
+      "actor_id",
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "user",
+      "business_id",
+      "created_at",
+      "actor",
+      "org",
+      "operation_type",
+      "user_agent"
+    ],
+    "docs_reference_titles": "Enforcing repository management policies in your enterprise"
+  },
+  {
+    "action": "members_can_view_dependency_insights.clear",
+    "description": "An enterprise owner cleared the policy setting for viewing dependency insights in any organizations in an enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "actor_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "created_at",
+      "request_id",
+      "actor",
+      "action",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "members_can_view_dependency_insights.disable",
+    "description": "The ability for enterprise members to view dependency insights was disabled. Members cannot view dependency insights in any organizations in an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise",
+    "fields": [
+      "business",
+      "created_at",
+      "user_id",
+      "business_id",
+      "user",
+      "org",
+      "operation_type",
+      "request_id",
+      "actor",
+      "_document_id",
+      "action",
+      "user_agent",
+      "actor_id",
+      "org_id",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise"
+  },
+  {
+    "action": "members_can_view_dependency_insights.enable",
+    "description": "The ability for enterprise members to view dependency insights was enabled. Members can view dependency insights in any organizations in an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-dependency-insights-in-your-enterprise",
+    "fields": [
+      "request_id",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "operation_type",
+      "@timestamp",
+      "action",
+      "actor",
+      "actor_id"
+    ],
+    "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise"
+  },
+  {
+    "action": "merge_queue.pull_request_dequeued",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "public_repo",
+      "repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "merge_queue.pull_request_queue_jump",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "token_id",
+      "token_scopes",
+      "repo_id",
+      "public_repo",
+      "repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "merge_queue.queue_cleared",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "public_repo",
+      "repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "merge_queue.update_settings",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "max_entries_to_build",
+      "min_entries_to_merge",
+      "repo_id",
+      "public_repo",
+      "repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "metered_billing_configuration.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "@timestamp",
+      "_document_id",
+      "user_id",
+      "action",
+      "operation_type",
+      "created_at",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "metered_billing_configuration.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "metered_billing_configuration.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "action",
+      "org",
+      "created_at",
+      "operation_type",
+      "org_id",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "request_id",
+      "actor",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "migration.create",
+    "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "org_id",
+      "_document_id",
+      "org",
+      "repo_id",
+      "action",
+      "actor",
+      "created_at",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "actor_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "migration.destroy_file",
+    "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org",
+      "@timestamp",
+      "org_id",
+      "action",
+      "operation_type",
+      "created_at",
+      "repo",
+      "_document_id",
+      "repo_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "migration.download",
+    "description": "A migration file for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance was downloaded.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "org_id",
+      "request_id",
+      "oauth_application_id",
+      "repo_id",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "created_at",
+      "org",
+      "action",
+      "_document_id",
+      "repo",
+      "actor",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "network_configuration.create",
+    "description": "A network configuration for a hosted compute service was created.",
+    "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "selected_service",
+      "network_settings_ids",
+      "previous_settings_ids",
+      "network_configuration_id"
+    ],
+    "docs_reference_titles": "About networking for hosted compute products in your enterprise"
+  },
+  {
+    "action": "network_configuration.delete",
+    "description": "A network configuration for a hosted compute service was deleted.",
+    "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "network_configuration_id"
+    ],
+    "docs_reference_titles": "About networking for hosted compute products in your enterprise"
+  },
+  {
+    "action": "network_configuration.update",
+    "description": "A network configuration for a hosted compute service was updated.",
+    "docs_reference_links": "/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "selected_service",
+      "network_settings_ids",
+      "previous_settings_ids"
+    ],
+    "docs_reference_titles": "About networking for hosted compute products in your enterprise"
+  },
+  {
+    "action": "oauth_application.create",
+    "description": "An OAuth application was created.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "org",
+      "created_at",
+      "oauth_application_id",
+      "operation_type",
+      "user_agent",
+      "actor_id",
+      "org_id",
+      "action",
+      "actor",
+      "oauth_application",
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.destroy",
+    "description": "An OAuth application was deleted.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "created_at",
+      "oauth_application_id",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "oauth_application",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "request_id",
+      "action",
+      "user",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.generate_client_secret",
+    "description": "An OAuth application's secret key was generated.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application",
+      "oauth_application_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.remove_client_secret",
+    "description": "An OAuth application's secret key was deleted.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application",
+      "oauth_application_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.reset_secret",
+    "description": "The secret key for an OAuth application was reset.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "user",
+      "user_id",
+      "action",
+      "oauth_application",
+      "operation_type",
+      "request_id",
+      "actor_id",
+      "_document_id",
+      "created_at",
+      "actor",
+      "oauth_application_id",
+      "@timestamp",
+      "user_agent"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.revoke_all_tokens",
+    "description": "All user tokens for an OAuth application were requested to be revoked.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application",
+      "oauth_application_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.revoke_tokens",
+    "description": "Token(s) for an OAuth application were revoked.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "oauth_application_id",
+      "oauth_application",
+      "actor_id",
+      "user_agent",
+      "@timestamp",
+      "request_id",
+      "user_id",
+      "action",
+      "_document_id",
+      "actor",
+      "user",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.transfer",
+    "description": "An OAuth application was transferred from one account to another.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "actor",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "oauth_application",
+      "actor_id",
+      "oauth_application_id",
+      "@timestamp",
+      "user_id",
+      "_document_id",
+      "request_id",
+      "user",
+      "action"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "org.accept_business_invitation",
+    "description": "An invitation sent to an organization to join an enterprise was accepted.",
+    "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Adding organizations to your enterprise"
+  },
+  {
+    "action": "org.add_billing_manager",
+    "description": "A billing manager was added to an organization.",
+    "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization",
+    "fields": [
+      "operation_type",
+      "_document_id",
+      "user_agent",
+      "org",
+      "user_id",
+      "action",
+      "created_at",
+      "org_id",
+      "user",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "request_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/adding-a-billing-manager-to-your-organization"
+  },
+  {
+    "action": "org.add_disallowed_two_factor_method",
+    "description": "An organization prevented access to resources by users with the given two-factor method.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "two_factor_method",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "org.add_member",
+    "description": "A user joined an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "permission",
+      "_document_id",
+      "org",
+      "operation_type",
+      "request_id",
+      "actor",
+      "user",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "org_id",
+      "user_id",
+      "actor_id",
+      "action",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "org.add_outside_collaborator",
+    "description": "An outside collaborator was added to a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "inviter",
+      "org",
+      "org_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "permission",
+      "invitee",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.add_security_manager",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org_id",
+      "org",
+      "team",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "org.advanced_security_disabled_for_new_repos",
+    "description": "GitHub Advanced Security was disabled for new repositories in an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "token_scopes"
+    ]
+  },
+  {
+    "action": "org.advanced_security_disabled_on_all_repos",
+    "description": "GitHub Advanced Security was disabled for all repositories in an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes"
+    ]
+  },
+  {
+    "action": "org.advanced_security_enabled_for_new_repos",
+    "description": "GitHub Advanced Security was enabled for new repositories in an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "token_scopes"
+    ]
+  },
+  {
+    "action": "org.advanced_security_enabled_on_all_repos",
+    "description": "GitHub Advanced Security was enabled for all repositories in an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes"
+    ]
+  },
+  {
+    "action": "org.advanced_security_entity_policy_update",
+    "description": "An enterprise owner updated the GitHub Advanced Security access policy for repositories owned by the organization.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "new_policy",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise"
+  },
+  {
+    "action": "org.advanced_security_policy_selected_member_disabled",
+    "description": "An enterprise owner prevented GitHub Advanced Security features from being enabled for repositories owned by the organization.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise"
+  },
+  {
+    "action": "org.advanced_security_policy_selected_member_enabled",
+    "description": "An enterprise owner allowed GitHub Advanced Security features to be enabled for repositories owned by the organization.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-advanced-security-in-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Enforcing policies for code security and analysis for your enterprise"
+  },
+  {
+    "action": "org.allow_third_party_access_requests_from_outside_collaborators_disabled",
+    "description": "Third-party application access for outside collaborators was disabled for the organization.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests"
+  },
+  {
+    "action": "org.allow_third_party_access_requests_from_outside_collaborators_enabled",
+    "description": "Third-party application access for outside collaborators was enabled for the organization.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/limiting-oauth-app-and-github-app-access-requests#enabling-or-disabling-integration-access-requests"
+  },
+  {
+    "action": "org.archive",
+    "description": "The organization was archived.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.audit_log_export",
+    "description": "An export of the organization audit log was created. If the export included a query, the log will list the query used and the number of audit log entries matching that query.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log",
+    "fields": [
+      "org_id",
+      "operation_type",
+      "@timestamp",
+      "request_id",
+      "_document_id",
+      "actor",
+      "org",
+      "action",
+      "created_at",
+      "user_agent",
+      "actor_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#exporting-the-audit-log"
+  },
+  {
+    "action": "org.audit_log_git_event_export",
+    "description": "An export of the organization's Git events was created.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "start",
+      "end",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/audit-log-events-for-your-organization"
+  },
+  {
+    "action": "org.billing_signup_error",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "request_id",
+      "user_agent",
+      "action",
+      "@timestamp",
+      "actor_id",
+      "org_id",
+      "_document_id",
+      "actor",
+      "org",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.block_user",
+    "description": "An organization owner blocked a user from accessing the organization's repositories.",
+    "docs_reference_links": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization",
+    "fields": [
+      "actor",
+      "user_agent",
+      "org_id",
+      "created_at",
+      "_document_id",
+      "blocked_user",
+      "action",
+      "operation_type",
+      "actor_id",
+      "org",
+      "@timestamp",
+      "request_id"
+    ],
+    "docs_reference_titles": "/communities/maintaining-your-safety-on-github/blocking-a-user-from-your-organization"
+  },
+  {
+    "action": "org.cancel_business_invitation",
+    "description": "An invitation for an organization to join an enterprise was revoked",
+    "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "initiated_from"
+    ],
+    "docs_reference_titles": "Adding organizations to your enterprise"
+  },
+  {
+    "action": "org.cancel_invitation",
+    "description": "An invitation sent to a user to join an organization was revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "org_id",
+      "request_id",
+      "email",
+      "@timestamp",
+      "actor",
+      "action",
+      "operation_type",
+      "user_agent",
+      "org",
+      "invitation_id",
+      "_document_id",
+      "created_at",
+      "invitee_email",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "org.clear_custom_invitation_rate_limit",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "org.clear_disallowed_two_factor_methods",
+    "description": "Cleared two-factor authentication restrictions for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "org.code_scanning_autofix_disabled",
+    "description": "Autofix for code scanning alerts was disabled for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.code_scanning_autofix_enabled",
+    "description": "Autofix for code scanning alerts was enabled for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.code_scanning_autofix_third_party_tools_disabled",
+    "description": "Autofix for third party tools for code scanning alerts was disabled for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.code_scanning_autofix_third_party_tools_enabled",
+    "description": "Autofix for third party tools for code scanning alerts was enabled for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.code_security_metered_usage_lock",
+    "description": "Enablement for Code Security features on new repositories has been locked for this organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.code_security_metered_usage_unlock",
+    "description": "Enablement for Code Security features on new repositories has been unlocked for this organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.codeql_disabled",
+    "description": "Code scanning using the default setup was disabled for an organization.",
+    "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale"
+  },
+  {
+    "action": "org.codeql_enabled",
+    "description": "Code scanning using the default setup was enabled for an organization.",
+    "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale"
+  },
+  {
+    "action": "org.codespaces_access_updated",
+    "description": "Access to use Codespaces on internal and private repositories was updated for an organization.",
+    "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "enablement",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/enabling-or-disabling-github-codespaces-for-your-organization"
+  },
+  {
+    "action": "org.codespaces_ownership_updated",
+    "description": "Ownership and payment for codespaces was updated for an organization.",
+    "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "owner_type",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/codespaces/managing-codespaces-for-your-organization/choosing-who-owns-and-pays-for-codespaces-in-your-organization"
+  },
+  {
+    "action": "org.codespaces_team_access_allowed",
+    "description": "A team has been allowed to use Codespaces for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "team",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.codespaces_team_access_revoked",
+    "description": "A team has been prevented from using Codespaces for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "team",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.codespaces_trusted_repo_access_granted",
+    "description": "GitHub Codespaces was granted trusted repository access to all other repositories in an organization.",
+    "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing access to other repositories within your codespace"
+  },
+  {
+    "action": "org.codespaces_trusted_repo_access_revoked",
+    "description": "GitHub Codespaces trusted repository access to all other repositories in an organization was revoked.",
+    "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Managing access to other repositories within your codespace"
+  },
+  {
+    "action": "org.codespaces_user_access_allowed",
+    "description": "A user has been allowed to use Codespaces for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "org.codespaces_user_access_revoked",
+    "description": "A user has been prevented from using Codespaces for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "org.config.disable_collaborators_only",
+    "description": "The interaction limit for collaborators only for an organization was disabled.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization",
+    "fields": [
+      "request_id",
+      "org",
+      "action",
+      "operation_type",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "user_agent",
+      "org_id",
+      "created_at"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization"
+  },
+  {
+    "action": "org.config.disable_contributors_only",
+    "description": "The interaction limit for prior contributors only for an organization was disabled.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization",
+    "fields": [
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "action",
+      "actor_id",
+      "org",
+      "_document_id",
+      "actor",
+      "org_id",
+      "request_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization"
+  },
+  {
+    "action": "org.config.disable_sockpuppet_disallowed",
+    "description": "The interaction limit for existing users only for an organization was disabled.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization",
+    "fields": [
+      "_document_id",
+      "operation_type",
+      "actor_id",
+      "org_id",
+      "action",
+      "created_at",
+      "actor",
+      "org",
+      "@timestamp",
+      "user_agent",
+      "request_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization"
+  },
+  {
+    "action": "org.config.enable_collaborators_only",
+    "description": "The interaction limit for collaborators only for an organization was enabled.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization",
+    "fields": [
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "actor_id",
+      "actor",
+      "org",
+      "org_id",
+      "request_id",
+      "operation_type",
+      "action",
+      "user_agent"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization"
+  },
+  {
+    "action": "org.config.enable_contributors_only",
+    "description": "The interaction limit for prior contributors only for an organization was enabled.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "org",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization"
+  },
+  {
+    "action": "org.config.enable_sockpuppet_disallowed",
+    "description": "The interaction limit for existing users only for an organization was enabled.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization",
+    "fields": [
+      "actor_id",
+      "request_id",
+      "action",
+      "created_at",
+      "user_agent",
+      "actor",
+      "_document_id",
+      "org_id",
+      "operation_type",
+      "org",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-organization#limiting-interactions-in-your-organization"
+  },
+  {
+    "action": "org.configure_self_hosted_jit_runner",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.confirm_business_invitation",
+    "description": "An invitation for an organization to join an enterprise was confirmed.",
+    "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#inviting-an-organization-to-join-your-enterprise-account",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Adding organizations to your enterprise"
+  },
+  {
+    "action": "org.connect_usage_metrics_export",
+    "description": "Server statistics were exported for the organization.",
+    "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/analyzing-how-your-team-works-with-server-statistics/exporting-server-statistics",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Exporting Server Statistics"
+  },
+  {
+    "action": "org.create",
+    "description": "An organization was created.",
+    "docs_reference_links": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch",
+    "fields": [
+      "request_id",
+      "org",
+      "actor_id",
+      "actor",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "operation_type",
+      "org_id",
+      "created_at",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch"
+  },
+  {
+    "action": "org.create_actions_secret",
+    "description": "A GitHub Actions secret was created for an organization.",
+    "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Using secrets in GitHub Actions"
+  },
+  {
+    "action": "org.create_actions_variable",
+    "description": "A GitHub Actions variable was created for an organization.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "org.create_integration_secret",
+    "description": "A Codespaces or Dependabot secret was created for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "visibility",
+      "integration",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes"
+    ]
+  },
+  {
+    "action": "org_credential_authorization.deauthorize",
+    "description": "A member removed the SSO (SAML or OIDC) authorization from a credential that had access to your organization.",
+    "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "org_id",
+      "business",
+      "action",
+      "@timestamp",
+      "org",
+      "_document_id",
+      "business_id",
+      "actor",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "oauth_credential_type",
+      "managed_oauth_access_id",
+      "managed_token_id",
+      "managed_oauth_scopes",
+      "managed_token_scopes",
+      "managed_hashed_token"
+    ],
+    "docs_reference_titles": "Authorizing a personal access token for use with single sign-on"
+  },
+  {
+    "action": "org_credential_authorization.grant",
+    "description": "A member authorized credentials for use with SAML or OIDC single sign-on.",
+    "docs_reference_links": "/authentication/authenticating-with-saml-single-sign-on",
+    "fields": [
+      "user_agent",
+      "actor",
+      "@timestamp",
+      "created_at",
+      "org_id",
+      "business_id",
+      "operation_type",
+      "request_id",
+      "_document_id",
+      "action",
+      "actor_id",
+      "business",
+      "org",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "oauth_credential_type",
+      "request_access_security_header",
+      "managed_oauth_access_id",
+      "managed_token_id",
+      "managed_oauth_scopes",
+      "managed_token_scopes",
+      "managed_hashed_token"
+    ],
+    "docs_reference_titles": "Authenticating with single sign-on"
+  },
+  {
+    "action": "org_credential_authorization.revoke",
+    "description": "An owner revoked authorized credentials.",
+    "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization",
+    "fields": [
+      "actor",
+      "org",
+      "@timestamp",
+      "owner",
+      "oauth_application_id",
+      "org_id",
+      "operation_type",
+      "action",
+      "business",
+      "request_id",
+      "created_at",
+      "business_id",
+      "actor_id",
+      "_document_id",
+      "user_agent",
+      "oauth_credential_type",
+      "managed_oauth_access_id",
+      "managed_token_id",
+      "managed_oauth_scopes",
+      "managed_token_scopes",
+      "managed_hashed_token"
+    ],
+    "docs_reference_titles": "Viewing and managing a member's SAML access to your organization"
+  },
+  {
+    "action": "org.delete",
+    "description": "An organization was deleted by a user or staff.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "@timestamp",
+      "_document_id",
+      "created_at",
+      "actor",
+      "org_id",
+      "org",
+      "action",
+      "actor_id",
+      "operation_type",
+      "request_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.disable_member_team_creation_permission",
+    "description": "Team creation was limited to owners.",
+    "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization",
+    "fields": [
+      "actor",
+      "@timestamp",
+      "_document_id",
+      "user",
+      "user_id",
+      "action",
+      "created_at",
+      "actor_id",
+      "user_agent",
+      "org",
+      "org_id",
+      "operation_type",
+      "request_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization"
+  },
+  {
+    "action": "org.disable_oauth_app_restrictions",
+    "description": "Third-party application access restrictions for an organization were disabled.",
+    "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization",
+    "fields": [
+      "actor_id",
+      "org_id",
+      "action",
+      "_document_id",
+      "request_id",
+      "@timestamp",
+      "actor",
+      "org",
+      "operation_type",
+      "user_agent",
+      "created_at"
+    ],
+    "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization"
+  },
+  {
+    "action": "org.disable_reader_discussion_creation_permission",
+    "description": "An organization owner limited discussion creation to users with at least triage permission in an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization"
+  },
+  {
+    "action": "org.disable_saml",
+    "description": "SAML single sign-on was disabled for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "sso_url",
+      "issuer",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "created_at",
+      "org",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.disable_source_ip_disclosure",
+    "description": "Display of IP addresses within audit log events for the organization was disabled.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization"
+  },
+  {
+    "action": "org.disable_two_factor_requirement",
+    "description": "A two-factor authentication requirement was disabled for the organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "org",
+      "org_id",
+      "action",
+      "actor",
+      "actor_id",
+      "operation_type",
+      "request_id",
+      "@timestamp",
+      "_document_id",
+      "user_agent"
+    ]
+  },
+  {
+    "action": "org.display_commenter_full_name_disabled",
+    "description": "An organization owner disabled the display of a commenter's full name in an organization. Members cannot see a comment author's full name.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "user_id",
+      "user",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "created_at",
+      "user_agent",
+      "org",
+      "actor_id",
+      "org_id",
+      "request_id"
+    ]
+  },
+  {
+    "action": "org.display_commenter_full_name_enabled",
+    "description": "An organization owner enabled the display of a commenter's full name in an organization. Members can see a comment author's full name.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org",
+      "user_agent",
+      "request_id",
+      "actor",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "user",
+      "action",
+      "actor_id",
+      "org_id"
+    ]
+  },
+  {
+    "action": "org.enable_member_team_creation_permission",
+    "description": "Team creation by members was allowed.",
+    "docs_reference_links": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization",
+    "fields": [
+      "org_id",
+      "user",
+      "actor",
+      "operation_type",
+      "_document_id",
+      "user_id",
+      "created_at",
+      "user_agent",
+      "actor_id",
+      "org",
+      "request_id",
+      "action",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization"
+  },
+  {
+    "action": "org.enable_oauth_app_restrictions",
+    "description": "Third-party application access restrictions for an organization were enabled.",
+    "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization",
+    "fields": [
+      "actor_id",
+      "operation_type",
+      "org",
+      "created_at",
+      "_document_id",
+      "actor",
+      "org_id",
+      "action",
+      "user_agent",
+      "request_id",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization"
+  },
+  {
+    "action": "org.enable_reader_discussion_creation_permission",
+    "description": "An organization owner allowed users with read access to create discussions in an organization",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-discussion-creation-for-repositories-in-your-organization"
+  },
+  {
+    "action": "org.enable_saml",
+    "description": "SAML single sign-on was enabled for the organization.",
+    "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization",
+    "fields": [
+      "actor_id",
+      "action",
+      "operation_type",
+      "actor",
+      "sso_url",
+      "org",
+      "created_at",
+      "@timestamp",
+      "issuer",
+      "org_id",
+      "_document_id",
+      "user_agent",
+      "request_id"
+    ],
+    "docs_reference_titles": "Enabling and testing SAML single sign-on for your organization"
+  },
+  {
+    "action": "org.enable_source_ip_disclosure",
+    "description": "Display of IP addresses within audit log events for the organization was enabled.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization"
+  },
+  {
+    "action": "org.enable_two_factor_requirement",
+    "description": "Two-factor authentication is now required for the organization.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization",
+    "fields": [
+      "actor_id",
+      "action",
+      "_document_id",
+      "org",
+      "@timestamp",
+      "actor",
+      "user_agent",
+      "org_id",
+      "operation_type",
+      "created_at",
+      "request_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization"
+  },
+  {
+    "action": "org.integration_manager_added",
+    "description": "An organization owner granted a member access to manage all GitHub Apps owned by an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "org_id",
+      "manager",
+      "@timestamp",
+      "request_id",
+      "actor",
+      "operation_type",
+      "_document_id",
+      "actor_id",
+      "org",
+      "action",
+      "created_at"
+    ]
+  },
+  {
+    "action": "org.integration_manager_removed",
+    "description": "An organization owner removed access to manage all GitHub Apps owned by an organization from an organization member.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "@timestamp",
+      "org",
+      "user_agent",
+      "request_id",
+      "action",
+      "actor",
+      "actor_id",
+      "manager",
+      "operation_type",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "org.invite_member",
+    "description": "A new user was invited to join an organization.",
+    "docs_reference_links": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization",
+    "fields": [
+      "org",
+      "user_id",
+      "invitation_id",
+      "org_id",
+      "user",
+      "action",
+      "operation_type",
+      "_document_id",
+      "actor",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "actor_id",
+      "request_id",
+      "invitee_email",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization"
+  },
+  {
+    "action": "org.invite_to_business",
+    "description": "An organization was invited to join an enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.members_can_update_protected_branches.disable",
+    "description": "The ability for enterprise members to update protected branches was disabled. Only enterprise owners can update protected branches.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "org.members_can_update_protected_branches.enable",
+    "description": "The ability for enterprise members to update protected branches was enabled. Members of an organization can update protected branches.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org",
+      "org_id",
+      "user_agent",
+      "actor_id",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "request_id",
+      "_document_id",
+      "actor",
+      "user",
+      "action"
+    ]
+  },
+  {
+    "action": "org.oauth_app_access_approved",
+    "description": "Access to an organization was granted for an OAuth App.",
+    "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization",
+    "fields": [
+      "url",
+      "actor",
+      "user_agent",
+      "request_id",
+      "actor_id",
+      "operation_type",
+      "org_id",
+      "_document_id",
+      "org",
+      "action",
+      "created_at",
+      "@timestamp",
+      "request_access_security_header",
+      "oauth_application_name"
+    ],
+    "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization"
+  },
+  {
+    "action": "org.oauth_app_access_blocked",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "url",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "oauth_application_name"
+    ]
+  },
+  {
+    "action": "org.oauth_app_access_denied",
+    "description": "Access was disabled for an OAuth App that was previously approved.",
+    "docs_reference_links": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization",
+    "fields": [
+      "request_id",
+      "url",
+      "created_at",
+      "org_id",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "org",
+      "operation_type",
+      "actor",
+      "actor_id",
+      "oauth_application_name"
+    ],
+    "docs_reference_titles": "/organizations/managing-oauth-access-to-your-organizations-data/denying-access-to-a-previously-approved-oauth-app-for-your-organization"
+  },
+  {
+    "action": "org.oauth_app_access_requested",
+    "description": "An organization member requested that an owner grant an OAuth App access to an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "actor_id",
+      "_document_id",
+      "request_id",
+      "url",
+      "org_id",
+      "action",
+      "@timestamp",
+      "org",
+      "request_access_security_header",
+      "oauth_application_name"
+    ]
+  },
+  {
+    "action": "org.oauth_app_access_unblocked",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "url",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "oauth_application_name"
+    ]
+  },
+  {
+    "action": "org.rate_limited_invites",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "created_at",
+      "request_id",
+      "org_id",
+      "action",
+      "actor",
+      "actor_id",
+      "user_agent",
+      "operation_type",
+      "_document_id",
+      "org"
+    ]
+  },
+  {
+    "action": "org.recovery_code_failed",
+    "description": "An organization owner failed to sign into a organization with an external identity provider (IdP) using a recovery code.",
+    "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "reason",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Accessing your organization if your identity provider is unavailable"
+  },
+  {
+    "action": "org.recovery_code_used",
+    "description": "An organization owner successfully signed into an organization with an external identity provider (IdP) using a recovery code.",
+    "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/accessing-your-organization-if-your-identity-provider-is-unavailable",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Accessing your organization if your identity provider is unavailable"
+  },
+  {
+    "action": "org.recovery_codes_downloaded",
+    "description": "An organization owner downloaded the organization's SSO recovery codes.",
+    "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes"
+  },
+  {
+    "action": "org.recovery_codes_generated",
+    "description": "An organization owner generated the organization's SSO recovery codes.",
+    "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes"
+  },
+  {
+    "action": "org.recovery_codes_printed",
+    "description": "An organization owner printed the organization's SSO recovery codes.",
+    "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes"
+  },
+  {
+    "action": "org.recovery_codes_viewed",
+    "description": "An organization owner viewed the organization's SSO recovery codes.",
+    "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/downloading-your-organizations-saml-single-sign-on-recovery-codes",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Downloading your organization's SAML single sign-on recovery codes"
+  },
+  {
+    "action": "org.register_self_hosted_runner",
+    "description": "A new self-hosted runner was registered.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-an-organization",
+    "fields": [
+      "actor",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "created_at",
+      "user_agent",
+      "actor_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Adding self-hosted runners"
+  },
+  {
+    "action": "org.remove_actions_secret",
+    "description": "A GitHub Actions secret was removed from an organization.",
+    "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Using secrets in GitHub Actions"
+  },
+  {
+    "action": "org.remove_actions_variable",
+    "description": "A GitHub Actions variable was removed from an organization.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "org.remove_billing_manager",
+    "description": "A billing manager was removed from an organization, either manually or due to a two-factor authentication requirement.",
+    "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization",
+    "fields": [
+      "user_id",
+      "user_agent",
+      "org_id",
+      "user",
+      "action",
+      "_document_id",
+      "operation_type",
+      "@timestamp",
+      "actor",
+      "org",
+      "actor_id",
+      "request_id",
+      "created_at"
+    ],
+    "docs_reference_titles": "/organizations/managing-peoples-access-to-your-organization-with-roles/removing-a-billing-manager-from-your-organization, /organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization"
+  },
+  {
+    "action": "org.remove_disallowed_two_factor_method",
+    "description": "Removed a two-factor authentication method restriction for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "two_factor_method",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "org.remove_integration_secret",
+    "description": "A Codespaces or Dependabot secret was removed from an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "integration",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "token_scopes"
+    ]
+  },
+  {
+    "action": "org.remove_member",
+    "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "request_id",
+      "actor_id",
+      "user_agent",
+      "actor",
+      "action",
+      "user_id",
+      "@timestamp",
+      "created_at",
+      "user",
+      "operation_type",
+      "org_id",
+      "org",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "org.remove_outside_collaborator",
+    "description": "An outside collaborator was removed from an organization, either manually or due to a two-factor authentication requirement.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org",
+      "user",
+      "org_id",
+      "created_at",
+      "request_id",
+      "@timestamp",
+      "action",
+      "operation_type",
+      "user_agent",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "user_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.remove_security_manager",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org_id",
+      "org",
+      "team",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "org.remove_self_hosted_runner",
+    "description": "A self-hosted runner was removed.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-an-organization",
+    "fields": [
+      "operation_type",
+      "org_id",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "request_id",
+      "actor_id",
+      "org",
+      "created_at",
+      "actor",
+      "action",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Removing self-hosted runners"
+  },
+  {
+    "action": "org.rename",
+    "description": "An organization was renamed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "_document_id",
+      "@timestamp",
+      "org",
+      "action",
+      "actor",
+      "old_login",
+      "org_id",
+      "request_id",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.required_workflow_create",
+    "description": "Triggered when a required workflow is created.",
+    "docs_reference_links": "/actions/using-workflows/required-workflows",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/actions/using-workflows/required-workflows"
+  },
+  {
+    "action": "org.required_workflow_delete",
+    "description": "Triggered when a required workflow is deleted.",
+    "docs_reference_links": "/actions/using-workflows/required-workflows",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/actions/using-workflows/required-workflows"
+  },
+  {
+    "action": "org.required_workflow_update",
+    "description": "Triggered when a required workflow is updated.",
+    "docs_reference_links": "/actions/using-workflows/required-workflows",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/actions/using-workflows/required-workflows"
+  },
+  {
+    "action": "org.restore_member",
+    "description": "An organization member was restored.",
+    "docs_reference_links": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization",
+    "fields": [
+      "user",
+      "actor",
+      "user_id",
+      "_document_id",
+      "action",
+      "created_at",
+      "org_id",
+      "operation_type",
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "org",
+      "actor_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-membership-in-your-organization/reinstating-a-former-member-of-your-organization"
+  },
+  {
+    "action": "org.revoke_external_identity",
+    "description": "A member's linked identity was revoked.",
+    "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity",
+    "fields": [
+      "actor",
+      "org",
+      "org_id",
+      "user",
+      "operation_type",
+      "user_id",
+      "@timestamp",
+      "action",
+      "actor_id",
+      "user_agent",
+      "_document_id",
+      "request_id",
+      "created_at"
+    ],
+    "docs_reference_titles": "Viewing and managing a member's SAML access to your organization"
+  },
+  {
+    "action": "org.revoke_sso_session",
+    "description": "A member's SAML session was revoked.",
+    "docs_reference_links": "/organizations/granting-access-to-your-organization-with-saml-single-sign-on/viewing-and-managing-a-members-saml-access-to-your-organization#viewing-and-revoking-a-linked-identity",
+    "fields": [
+      "actor_id",
+      "created_at",
+      "user",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "org",
+      "org_id",
+      "user_agent",
+      "request_id",
+      "actor",
+      "user_id",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Viewing and managing a member's SAML access to your organization"
+  },
+  {
+    "action": "org.runner_group_created",
+    "description": "A self-hosted runner group was created.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#creating-a-self-hosted-runner-group-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "runner_group_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "runner_group_restricted_to_workflows",
+      "runner_group_selected_workflow_refs",
+      "programmatic_access_type",
+      "network_configuration_id"
+    ],
+    "docs_reference_titles": "Managing access to self-hosted runners using groups"
+  },
+  {
+    "action": "org.runner_group_removed",
+    "description": "A self-hosted runner group was removed.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#removing-a-self-hosted-runner-group",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "runner_group_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Managing access to self-hosted runners using groups"
+  },
+  {
+    "action": "org.runner_group_renamed",
+    "description": "A self-hosted runner group was renamed.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "runner_group_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Managing access to self-hosted runners using groups"
+  },
+  {
+    "action": "org.runner_group_runner_removed",
+    "description": "The REST API was used to remove a self-hosted runner from a group.",
+    "docs_reference_links": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "runner_group_id",
+      "runner_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/rest/actions#remove-a-self-hosted-runner-from-a-group-for-an-organization"
+  },
+  {
+    "action": "org.runner_group_runners_added",
+    "description": "A self-hosted runner was added to a group.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#moving-a-self-hosted-runner-to-a-group",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "runner_group_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing access to self-hosted runners using groups"
+  },
+  {
+    "action": "org.runner_group_runners_updated",
+    "description": "A runner group's list of members was updated.",
+    "docs_reference_links": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "runner_group_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/rest/actions#set-self-hosted-runners-in-a-group-for-an-organization"
+  },
+  {
+    "action": "org.runner_group_updated",
+    "description": "The configuration of a self-hosted runner group was changed.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/managing-access-to-self-hosted-runners-using-groups#changing-the-access-policy-of-a-self-hosted-runner-group",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "runner_group_id",
+      "runner_group_name",
+      "runner_group_allow_public",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "runner_group_restricted_to_workflows",
+      "runner_group_selected_workflow_refs",
+      "programmatic_access_type",
+      "network_configuration_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing access to self-hosted runners using groups"
+  },
+  {
+    "action": "org.runner_group_visiblity_updated",
+    "description": "The visibility of a self-hosted runner group was updated via the REST API.",
+    "docs_reference_links": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "runner_group_id",
+      "visibility",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "/rest/actions#update-a-self-hosted-runner-group-for-an-organization"
+  },
+  {
+    "action": "org.secret_protection_metered_usage_lock",
+    "description": "Enablement for Secret Protection features on new repositories has been locked for this organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.secret_protection_metered_usage_unlock",
+    "description": "Enablement for Secret Protection features on new repositories has been unlocked for this organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org_secret_scanning_automatic_validity_checks.disabled",
+    "description": "Automatic partner validation checks have been disabled at the organization level",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization"
+  },
+  {
+    "action": "org_secret_scanning_automatic_validity_checks.enabled",
+    "description": "Automatic partner validation checks have been enabled at the organization level",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#allowing-validity-checks-for-partner-patterns-in-an-organization"
+  },
+  {
+    "action": "org_secret_scanning_custom_pattern.create",
+    "description": "A custom pattern was created for secret scanning in an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "org_secret_scanning_custom_pattern.delete",
+    "description": "A custom pattern was removed from secret scanning in an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "org_secret_scanning_custom_pattern.publish",
+    "description": "A custom pattern was published for secret scanning in an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "org.secret_scanning_custom_pattern_push_protection_disabled",
+    "description": "Push protection for a custom pattern for secret scanning was disabled for an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "org.secret_scanning_custom_pattern_push_protection_enabled",
+    "description": "Push protection for a custom pattern for secret scanning was enabled for an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-an-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "org_secret_scanning_custom_pattern.update",
+    "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "org_secret_scanning_generic_secrets.disabled",
+    "description": "Generic secrets have been disabled at the organization level",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org_secret_scanning_generic_secrets.enabled",
+    "description": "Generic secrets have been enabled at the organization level",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org_secret_scanning_non_provider_patterns.disabled",
+    "description": "Secret scanning for non-provider patterns was disabled at the organization level.",
+    "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Supported secret scanning patterns"
+  },
+  {
+    "action": "org_secret_scanning_non_provider_patterns.enabled",
+    "description": "Secret scanning for non-provider patterns was enabled at the organization level.",
+    "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Supported secret scanning patterns"
+  },
+  {
+    "action": "org_secret_scanning_push_protection_bypass_list.add",
+    "description": "A role or team was added to the push protection bypass list at the organization level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org_secret_scanning_push_protection_bypass_list.disable",
+    "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the organization level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org_secret_scanning_push_protection_bypass_list.enable",
+    "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the organization level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org_secret_scanning_push_protection_bypass_list.remove",
+    "description": "A role or team was removed from the push protection bypass list at the organization level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.secret_scanning_push_protection_custom_message_disabled",
+    "description": "The custom message triggered by an attempted push to a push-protected repository was disabled for an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.secret_scanning_push_protection_custom_message_enabled",
+    "description": "The custom message triggered by an attempted push to a push-protected repository was enabled for an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.secret_scanning_push_protection_custom_message_updated",
+    "description": "The custom message triggered by an attempted push to a push-protected repository was updated for an organization.",
+    "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#enabling-secret-scanning-as-a-push-protection-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.secret_scanning_push_protection_disable",
+    "description": "Push protection for secret scanning was disabled.",
+    "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.secret_scanning_push_protection_enable",
+    "description": "Push protection for secret scanning was enabled.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.secret_scanning_push_protection_new_repos_disable",
+    "description": "Push protection for secret scanning was disabled for all new repositories in the organization.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "token_scopes"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.secret_scanning_push_protection_new_repos_enable",
+    "description": "Push protection for secret scanning was enabled for all new repositories in the organization.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "token_scopes"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org_secret_scanning_push_protection_pattern_configuration.push_protection_setting_changed",
+    "description": "The push protection setting was updated for a secret type for your organization.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
+    "fields": [
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "push_protection_setting",
+      "secret_type",
+      "secret_type_display_name",
+      "created_at"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org_secret_scanning_push_protection_pattern_configuration.updated",
+    "description": "The push protection pattern configuration was updated for your organization.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations",
+    "fields": [
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "created_at"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "org.security_center_export_code_scanning_metrics",
+    "description": "A CSV export was requested on the CodeQL pull request alerts page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "start_date",
+      "end_date",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "org.security_center_export_coverage",
+    "description": "A CSV export was requested on the Coverage page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.security_center_export_overview_dashboard",
+    "description": "A CSV export was requested on the Overview Dashboard page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "start_date",
+      "end_date",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.security_center_export_risk",
+    "description": "A CSV export was requested on the Risk page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.self_hosted_runner_offline",
+    "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner",
+    "fields": [
+      "org_id",
+      "org",
+      "runner_id",
+      "runner_name",
+      "action",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners"
+  },
+  {
+    "action": "org.self_hosted_runner_online",
+    "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner",
+    "fields": [
+      "org_id",
+      "org",
+      "runner_id",
+      "runner_name",
+      "action",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners"
+  },
+  {
+    "action": "org.self_hosted_runner_updated",
+    "description": "The runner application was updated. This event is not included in the JSON/CSV export.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners",
+    "fields": [
+      "org_id",
+      "runner_id",
+      "runner_name",
+      "source_version",
+      "target_version",
+      "runner_group_id",
+      "runner_group_name"
+    ],
+    "docs_reference_titles": "Self-hosted runners"
+  },
+  {
+    "action": "org.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization"
+  },
+  {
+    "action": "org.set_actions_fork_pr_approvals_policy",
+    "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "policy",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks"
+  },
+  {
+    "action": "org.set_actions_private_fork_pr_approvals_policy",
+    "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "policy",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks"
+  },
+  {
+    "action": "org.set_actions_retention_limit",
+    "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.",
+    "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "limit",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization"
+  },
+  {
+    "action": "org.set_custom_invitation_rate_limit",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "_document_id",
+      "org_id",
+      "operation_type",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "request_id",
+      "created_at",
+      "org",
+      "action"
+    ]
+  },
+  {
+    "action": "org.set_default_workflow_permissions",
+    "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization"
+  },
+  {
+    "action": "org.set_fork_pr_workflows_policy",
+    "description": "The policy for workflows on private repository forks was changed.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "policy",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks"
+  },
+  {
+    "action": "org.set_workflow_permission_can_approve_pr",
+    "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests"
+  },
+  {
+    "action": "org.sso_response",
+    "description": "A SAML single sign-on (SSO) response was generated when a member attempted to authenticate with your organization. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "user_agent",
+      "actor",
+      "actor_id",
+      "org_id",
+      "@timestamp",
+      "org",
+      "issuer",
+      "business",
+      "operation_type",
+      "created_at",
+      "request_id",
+      "business_id",
+      "_document_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.transfer",
+    "description": "An organization was transferred between enterprise accounts.",
+    "docs_reference_links": "/admin/user-management/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "from_business",
+      "to_business",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Adding organizations to your enterprise"
+  },
+  {
+    "action": "org.transfer_outgoing",
+    "description": "An organization was transferred between enterprise accounts.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/adding-organizations-to-your-enterprise#transferring-an-organization-between-enterprise-accounts",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "from_business",
+      "to_business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Adding organizations to your enterprise"
+  },
+  {
+    "action": "org.unarchive",
+    "description": "The organization was unarchived.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.unblock_user",
+    "description": "A user was unblocked from an organization.",
+    "docs_reference_links": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization",
+    "fields": [
+      "oauth_application_id",
+      "_document_id",
+      "blocked_user",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "request_id",
+      "created_at",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "user_agent"
+    ],
+    "docs_reference_titles": "/communities/maintaining-your-safety-on-github/unblocking-a-user-from-your-organization"
+  },
+  {
+    "action": "org.update_actions_secret",
+    "description": "A GitHub Actions secret was updated for an organization.",
+    "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "created_at",
+      "key",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Using secrets in GitHub Actions"
+  },
+  {
+    "action": "org.update_actions_settings",
+    "description": "An organization owner or site administrator updated GitHub Actions policy settings for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "new_policy",
+      "updated_allowed_types",
+      "old_policy",
+      "updated_access_policy",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization"
+  },
+  {
+    "action": "org.update_actions_variable",
+    "description": "A GitHub Actions variable was updated for an organization.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "org.update_default_repository_permission",
+    "description": "The default repository permission level for organization members was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "action",
+      "operation_type",
+      "created_at",
+      "org",
+      "org_id",
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "permission",
+      "actor_id",
+      "old_permission",
+      "_document_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "org.update_immutable_releases_settings_policy",
+    "description": "The settings policy for immutable releases was updated for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "old_policy",
+      "new_policy",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "org.update_integration_secret",
+    "description": "A Codespaces or Dependabot secret was updated for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "visibility",
+      "integration",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.update_member",
+    "description": "A person's role was changed from owner to member or member to owner.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "org_id",
+      "created_at",
+      "_document_id",
+      "user",
+      "user_id",
+      "action",
+      "request_id",
+      "actor_id",
+      "old_permission",
+      "permission",
+      "actor",
+      "user_agent",
+      "operation_type",
+      "org"
+    ]
+  },
+  {
+    "action": "org.update_member_repository_creation_permission",
+    "description": "The create repository permission for organization members was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "action",
+      "@timestamp",
+      "request_id",
+      "actor_id",
+      "permission",
+      "created_at",
+      "user_agent",
+      "org",
+      "org_id",
+      "_document_id",
+      "visibility",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.update_member_repository_invitation_permission",
+    "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.",
+    "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators",
+    "fields": [
+      "actor_id",
+      "permission",
+      "action",
+      "org_id",
+      "actor",
+      "created_at",
+      "_document_id",
+      "business_id",
+      "operation_type",
+      "org",
+      "user_agent",
+      "request_id",
+      "business",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Setting permissions for adding outside collaborators"
+  },
+  {
+    "action": "org.update_new_repository_default_branch_setting",
+    "description": "The name of the default branch was changed for new repositories in the organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-the-default-branch-name-for-repositories-in-your-organization"
+  },
+  {
+    "action": "org.update_repo_self_hosted_runners_policy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "old_repo_runners_policy",
+      "new_repo_runners_policy",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.update_saml_provider_settings",
+    "description": "An organization's SAML provider settings were updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "sso_url",
+      "actor_id",
+      "operation_type",
+      "@timestamp",
+      "issuer",
+      "org",
+      "_document_id",
+      "actor",
+      "org_id",
+      "created_at",
+      "request_id",
+      "action"
+    ]
+  },
+  {
+    "action": "org.update_terms_of_service",
+    "description": "An organization changed between the Standard Terms of Service and the GitHub Customer Agreement.",
+    "docs_reference_links": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement",
+    "fields": [
+      "request_id",
+      "org_id",
+      "actor",
+      "actor_id",
+      "user_agent",
+      "operation_type",
+      "_document_id",
+      "org",
+      "action",
+      "@timestamp",
+      "created_at",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/upgrading-to-the-github-customer-agreement"
+  },
+  {
+    "action": "organization_custom_property_value.create",
+    "description": "An organization's custom property value was manually set for the first time.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "value",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
+  },
+  {
+    "action": "organization_custom_property_value.destroy",
+    "description": "An organization's custom property value was deleted.",
+    "docs_reference_links": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "definition_id",
+      "property_name",
+      "value",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/admin/managing-accounts-and-repositories/managing-organizations-in-your-enterprise/managing-custom-properties-for-organization-in-your-enterprise"
+  },
+  {
+    "action": "organization_default_label.create",
+    "description": "A default label was created for repositories in an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label",
+    "fields": [
+      "request_id",
+      "actor_id",
+      "actor",
+      "org",
+      "org_id",
+      "operation_type",
+      "_document_id",
+      "action",
+      "created_at",
+      "@timestamp",
+      "user_agent",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#creating-a-default-label"
+  },
+  {
+    "action": "organization_default_label.destroy",
+    "description": "A default label was deleted for repositories in an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label",
+    "fields": [
+      "operation_type",
+      "request_id",
+      "actor",
+      "@timestamp",
+      "_document_id",
+      "actor_id",
+      "org_id",
+      "org",
+      "action",
+      "created_at",
+      "user_agent"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#deleting-a-default-label"
+  },
+  {
+    "action": "organization_default_label.update",
+    "description": "A default label was edited for repositories in an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label",
+    "fields": [
+      "org",
+      "created_at",
+      "@timestamp",
+      "actor",
+      "action",
+      "user_agent",
+      "actor_id",
+      "org_id",
+      "operation_type",
+      "request_id",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-default-labels-for-repositories-in-your-organization#editing-a-default-label"
+  },
+  {
+    "action": "organization_domain.approve",
+    "description": "A domain was approved for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner_type",
+      "domain_name",
+      "org_id",
+      "business_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#approving-a-domain-for-your-organization"
+  },
+  {
+    "action": "organization_domain.create",
+    "description": "A domain was added to an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization",
+    "fields": [
+      "created_at",
+      "_document_id",
+      "domain_name",
+      "action",
+      "request_id",
+      "actor_id",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "actor"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization"
+  },
+  {
+    "action": "organization_domain.destroy",
+    "description": "A domain was removed from an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain",
+    "fields": [
+      "action",
+      "domain_name",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "operation_type",
+      "created_at"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#removing-an-approved-or-verified-domain"
+  },
+  {
+    "action": "organization_domain.verify",
+    "description": "A domain was verified for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization",
+    "fields": [
+      "operation_type",
+      "domain_name",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "actor",
+      "action",
+      "created_at",
+      "_document_id",
+      "actor_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/verifying-or-approving-a-domain-for-your-organization#verifying-a-domain-for-your-organization"
+  },
+  {
+    "action": "organization_moderators.add_team",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "team",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "organization_moderators.add_user",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "organization_moderators.remove_team",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "team",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "organization_moderators.remove_user",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "organization_projects_change.clear",
+    "description": "An enterprise owner cleared the policy setting for organization-wide project boards in an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards",
+    "fields": [
+      "actor",
+      "business_id",
+      "@timestamp",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "user_agent",
+      "_document_id",
+      "created_at",
+      "operation_type",
+      "request_id",
+      "business"
+    ],
+    "docs_reference_titles": "Enforcing policies for projects in your enterprise"
+  },
+  {
+    "action": "organization_projects_change.disable",
+    "description": "Organization projects were disabled for all organizations in an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards",
+    "fields": [
+      "org_id",
+      "action",
+      "user",
+      "org",
+      "created_at",
+      "user_agent",
+      "request_id",
+      "actor_id",
+      "operation_type",
+      "@timestamp",
+      "actor",
+      "user_id",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Enforcing policies for projects in your enterprise"
+  },
+  {
+    "action": "organization_projects_change.enable",
+    "description": "Organization projects were enabled for all organizations in an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise#enforcing-a-policy-for-organization-wide-project-boards",
+    "fields": [
+      "actor_id",
+      "org_id",
+      "created_at",
+      "user_id",
+      "org",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "request_id",
+      "user",
+      "action",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Enforcing policies for projects in your enterprise"
+  },
+  {
+    "action": "organization_role.assign",
+    "description": "An organization role was assigned to a user or team.",
+    "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "organization_role_id",
+      "organization_role_name",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About custom organization roles"
+  },
+  {
+    "action": "organization_role.create",
+    "description": "A custom organization role was created in an organization.",
+    "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "name",
+      "owner",
+      "role_permissions",
+      "base_role",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "About custom organization roles"
+  },
+  {
+    "action": "organization_role.destroy",
+    "description": "A custom organization role was deleted in an organization.",
+    "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "name",
+      "owner",
+      "role_permissions",
+      "base_role",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "About custom organization roles"
+  },
+  {
+    "action": "organization_role.revoke",
+    "description": "A user or team was unassigned an organization role.",
+    "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "organization_role_id",
+      "organization_role_name",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "About custom organization roles"
+  },
+  {
+    "action": "organization_role.update",
+    "description": "A custom organization role was edited in an organization.",
+    "docs_reference_links": "/organizations/managing-peoples-access-to-your-organization-with-roles/about-custom-organization-roles",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "name",
+      "owner",
+      "role_permissions",
+      "base_role",
+      "old_role_permissions",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "old_base_role"
+    ],
+    "docs_reference_titles": "About custom organization roles"
+  },
+  {
+    "action": "organization_wide_project_base_role.update",
+    "description": "An organization's default project base role was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "old_project_base_role",
+      "new_project_base_role",
+      "business",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "packages.package_deleted",
+    "description": "An entire package was deleted.",
+    "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package",
+    "fields": [
+      "actor_id",
+      "actor",
+      "org",
+      "org_id",
+      "repo",
+      "repo_id",
+      "package",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package"
+  },
+  {
+    "action": "packages.package_published",
+    "description": "A package was published or republished to an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "actor",
+      "org",
+      "org_id",
+      "repo",
+      "repo_id",
+      "package",
+      "ecosystem",
+      "version_count",
+      "is_republished",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "packages.package_version_deleted",
+    "description": "A specific package version was deleted.",
+    "docs_reference_links": "/packages/learn-github-packages/deleting-and-restoring-a-package",
+    "fields": [
+      "actor_id",
+      "actor",
+      "org",
+      "org_id",
+      "repo",
+      "repo_id",
+      "package",
+      "version",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "ecosystem",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/packages/learn-github-packages/deleting-and-restoring-a-package"
+  },
+  {
+    "action": "packages.package_version_published",
+    "description": "A specific package version was published or republished to a package.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "ecosystem",
+      "package",
+      "version",
+      "actor_id",
+      "user_agent",
+      "is_republished",
+      "actor",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "pages_protected_domain.create",
+    "description": "A GitHub Pages verified domain was created for an organization or enterprise.",
+    "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner",
+      "owner_type",
+      "domain",
+      "state",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages"
+  },
+  {
+    "action": "pages_protected_domain.delete",
+    "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.",
+    "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner",
+      "owner_type",
+      "domain",
+      "state",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages"
+  },
+  {
+    "action": "pages_protected_domain.verify",
+    "description": "A GitHub Pages domain was verified for an organization or enterprise.",
+    "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner",
+      "owner_type",
+      "domain",
+      "state",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages"
+  },
+  {
+    "action": "payment_method.create",
+    "description": "A new payment method was added, such as a new credit card or PayPal account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "user",
+      "operation_type",
+      "user_id",
+      "_document_id",
+      "action",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "created_at",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "payment_method.remove",
+    "description": "A payment method was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "created_at",
+      "actor_id",
+      "@timestamp",
+      "user_id",
+      "action",
+      "operation_type",
+      "actor",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "payment_method.update",
+    "description": "An existing payment method was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "request_id",
+      "org_id",
+      "created_at",
+      "actor_id",
+      "@timestamp",
+      "action",
+      "actor",
+      "org",
+      "user_agent",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "personal_access_token.access_granted",
+    "description": "A fine-grained personal access token was granted access to resources.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_id",
+      "user_programmatic_access_name",
+      "repository_selection",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization"
+  },
+  {
+    "action": "personal_access_token.access_restriction_disabled",
+    "description": "The configured restriction for access to resources via personal access tokens was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "programmatic_access_type",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "personal_access_token.access_restriction_enabled",
+    "description": "The configured restriction for access to resources via personal access tokens was enabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "programmatic_access_type",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "personal_access_token.access_revoked",
+    "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_id",
+      "user_programmatic_access_name",
+      "repository_selection",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization"
+  },
+  {
+    "action": "personal_access_token.auto_approve_grant_requests_disabled",
+    "description": "Triggered when fine-grained personal access tokens can access organization resources without prior approval.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "personal_access_token.auto_approve_grant_requests_enabled",
+    "description": "Triggered when the organization must approve fine-grained personal access tokens before the tokens can access organization resources.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "personal_access_token.expiration_limit_set",
+    "description": "A personal access token expiration limit was set.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "programmatic_access_type",
+      "token_expiration",
+      "old_token_expiration",
+      "exempt_administrators",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "personal_access_token.expiration_limit_unset",
+    "description": "A personal access token expiration limit was unset.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "programmatic_access_type",
+      "old_token_expiration",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "personal_access_token.request_cancelled",
+    "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_name",
+      "org",
+      "org_id",
+      "repository_selection",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "user_programmatic_access_request_id"
+    ]
+  },
+  {
+    "action": "personal_access_token.request_created",
+    "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_id",
+      "user_programmatic_access_name",
+      "user",
+      "user_id",
+      "repository_selection",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "user_programmatic_access_request_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization"
+  },
+  {
+    "action": "personal_access_token.request_denied",
+    "description": "A request for a fine-grained personal access token to access organization resources was denied.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user_programmatic_access_name",
+      "org",
+      "org_id",
+      "repository_selection",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "user_programmatic_access_request_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization"
+  },
+  {
+    "action": "prebuild_configuration.create",
+    "description": "A GitHub Codespaces prebuild configuration for a repository was created.",
+    "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "branch",
+      "repository",
+      "repository_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "public_repo"
+    ],
+    "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds"
+  },
+  {
+    "action": "prebuild_configuration.destroy",
+    "description": "A GitHub Codespaces prebuild configuration for a repository was deleted.",
+    "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "branch",
+      "repository",
+      "repository_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "public_repo"
+    ],
+    "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds"
+  },
+  {
+    "action": "prebuild_configuration.run_triggered",
+    "description": "A user initiated a run of a GitHub Codespaces prebuild configuration for a repository branch.",
+    "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "branch",
+      "repository",
+      "repository_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "public_repo"
+    ],
+    "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds"
+  },
+  {
+    "action": "prebuild_configuration.update",
+    "description": "A GitHub Codespaces prebuild configuration for a repository was edited.",
+    "docs_reference_links": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "branch",
+      "repository",
+      "repository_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "public_repo"
+    ],
+    "docs_reference_titles": "/codespaces/prebuilding-your-codespaces/about-github-codespaces-prebuilds"
+  },
+  {
+    "action": "premium_runner.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "runner_group_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "premium_runner.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "premium_runner.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "runner_group_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "private_repository_forking.clear",
+    "description": "An enterprise owner cleared the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "business_id",
+      "actor_id",
+      "user",
+      "business",
+      "request_id",
+      "actor",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "private_repository_forking.disable",
+    "description": "An enterprise owner disabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are never allowed to be forked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo_id",
+      "created_at",
+      "actor_id",
+      "_document_id",
+      "actor",
+      "user",
+      "repo",
+      "action",
+      "user_agent",
+      "@timestamp",
+      "org",
+      "operation_type",
+      "request_id",
+      "user_id",
+      "org_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "private_repository_forking.enable",
+    "description": "An enterprise owner enabled the policy setting for allowing forks of private and internal repositories, for a repository, organization or enterprise. Private and internal repositories are always allowed to be forked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "user_id",
+      "operation_type",
+      "_document_id",
+      "action",
+      "@timestamp",
+      "repo",
+      "org",
+      "business",
+      "user_agent",
+      "request_id",
+      "actor",
+      "repo_id",
+      "user",
+      "org_id",
+      "created_at",
+      "business_id"
+    ]
+  },
+  {
+    "action": "private_vulnerability_reporting.disable",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "private_vulnerability_reporting.enable",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "private_vulnerability_reporting_new_repos.disable",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "private_vulnerability_reporting_new_repos.enable",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "profile_picture.update",
+    "description": "A profile picture was updated.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile",
+    "fields": [
+      "user",
+      "actor_id",
+      "user_id",
+      "@timestamp",
+      "created_at",
+      "owner",
+      "action",
+      "_document_id",
+      "request_id",
+      "user_agent",
+      "actor",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Personalize your profile"
+  },
+  {
+    "action": "project.access",
+    "description": "A project board visibility was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "actor",
+      "user_agent",
+      "operation_type",
+      "user",
+      "created_at",
+      "user_id",
+      "action",
+      "request_id",
+      "_document_id",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "project_base_role.update",
+    "description": "A project's base role was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "old_project_base_role",
+      "new_project_base_role",
+      "project_number",
+      "public_project",
+      "business",
+      "project_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "project.close",
+    "description": "A project board was closed.",
+    "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board",
+    "fields": [
+      "org_id",
+      "user_agent",
+      "request_id",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "repo_id",
+      "org",
+      "_document_id",
+      "project_id",
+      "action",
+      "actor",
+      "actor_id",
+      "repo",
+      "project_kind"
+    ],
+    "docs_reference_titles": "Closing a project (classic)"
+  },
+  {
+    "action": "project_collaborator.add",
+    "description": "A collaborator was added to a project.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "collaborator_type",
+      "org",
+      "org_id",
+      "collaborator",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "public_project",
+      "project_name",
+      "project_role",
+      "old_project_role",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "project_collaborator.remove",
+    "description": "A collaborator was removed from a project.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "collaborator_type",
+      "user",
+      "user_id",
+      "collaborator",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "project_collaborator.update",
+    "description": "A project collaborator's permission level was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "public_project",
+      "project_name",
+      "collaborator_type",
+      "project_role",
+      "old_project_role",
+      "project_id",
+      "user",
+      "user_id",
+      "collaborator",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "project.create",
+    "description": "A project board was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "user",
+      "_document_id",
+      "request_id",
+      "user_id",
+      "user_agent",
+      "@timestamp",
+      "actor_id",
+      "action",
+      "created_at",
+      "actor"
+    ]
+  },
+  {
+    "action": "project.delete",
+    "description": "A project board was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "action",
+      "actor_id",
+      "operation_type",
+      "actor",
+      "user_id",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "user"
+    ]
+  },
+  {
+    "action": "project_field.create",
+    "description": "A field was created in a project board.",
+    "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields"
+  },
+  {
+    "action": "project_field.delete",
+    "description": "A field was deleted in a project board.",
+    "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields"
+  },
+  {
+    "action": "project.link",
+    "description": "A repository was linked to a project board.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo_id",
+      "action",
+      "actor_id",
+      "org_id",
+      "user_agent",
+      "request_id",
+      "actor",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "created_at",
+      "org",
+      "repo"
+    ]
+  },
+  {
+    "action": "project.open",
+    "description": "A project board was reopened.",
+    "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board",
+    "fields": [
+      "actor",
+      "request_id",
+      "actor_id",
+      "action",
+      "user_id",
+      "project_id",
+      "_document_id",
+      "user_agent",
+      "operation_type",
+      "user",
+      "@timestamp",
+      "created_at",
+      "project_kind",
+      "project_name"
+    ],
+    "docs_reference_titles": "Reopening a closed project (classic)"
+  },
+  {
+    "action": "project.rename",
+    "description": "A project board was renamed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "created_at",
+      "request_id",
+      "actor_id",
+      "old_name",
+      "operation_type",
+      "@timestamp",
+      "repo",
+      "_document_id",
+      "user_agent",
+      "org_id",
+      "business_id",
+      "actor",
+      "repo_id",
+      "org",
+      "business"
+    ]
+  },
+  {
+    "action": "project.unlink",
+    "description": "A repository was unlinked from a project board.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "repo_id",
+      "operation_type",
+      "actor",
+      "action",
+      "created_at",
+      "actor_id",
+      "_document_id",
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "org",
+      "org_id"
+    ]
+  },
+  {
+    "action": "project.update_org_permission",
+    "description": "The project's base-level permission for all organization members was changed or removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "org",
+      "@timestamp",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "request_id",
+      "actor_id",
+      "action",
+      "org_id",
+      "user_agent"
+    ]
+  },
+  {
+    "action": "project.update_team_permission",
+    "description": "A team's project board permission level was changed or when a team was added or removed from a project board.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "org_id",
+      "operation_type",
+      "org",
+      "actor_id",
+      "_document_id",
+      "request_id",
+      "team",
+      "@timestamp",
+      "action",
+      "user_agent",
+      "actor"
+    ]
+  },
+  {
+    "action": "project.update_user_permission",
+    "description": "A user was added to or removed from a project board or had their permission level changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "actor_id",
+      "user",
+      "user_agent",
+      "actor",
+      "created_at",
+      "org",
+      "_document_id",
+      "org_id",
+      "action",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "project_view.create",
+    "description": "A view was created in a project board.",
+    "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views"
+  },
+  {
+    "action": "project_view.delete",
+    "description": "A view was deleted in a project board.",
+    "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views"
+  },
+  {
+    "action": "project.visibility_private",
+    "description": "A project's visibility was changed from public to private.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "project_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "project_kind",
+      "project_name"
+    ]
+  },
+  {
+    "action": "project.visibility_public",
+    "description": "A project's visibility was changed from private to public.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "project_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "project_kind",
+      "project_name",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "protected_branch.authorized_users_teams",
+    "description": "The users, teams, or integrations allowed to bypass a branch protection were changed.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches",
+    "fields": [
+      "repo",
+      "action",
+      "org_id",
+      "user_agent",
+      "name",
+      "created_at",
+      "_document_id",
+      "operation_type",
+      "actor",
+      "repo_id",
+      "org",
+      "request_id",
+      "actor_id",
+      "oauth_application_id",
+      "@timestamp",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches"
+  },
+  {
+    "action": "protected_branch.branch_allowances",
+    "description": "A protected branch allowance was given to a specific user, team or integration.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "token_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "name",
+      "authorized_actors",
+      "policy",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "protected_branch.create",
+    "description": "Branch protection was enabled on a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "repo_id",
+      "user_id",
+      "@timestamp",
+      "user_agent",
+      "repo",
+      "name",
+      "org_id",
+      "user",
+      "_document_id",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "action",
+      "created_at",
+      "authorized_actor_names",
+      "token_scopes",
+      "required_deployments_enforcement_level",
+      "merge_queue_enforcement_level",
+      "create_protected"
+    ]
+  },
+  {
+    "action": "protected_branch.destroy",
+    "description": "Branch protection was disabled on a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "name",
+      "repo",
+      "@timestamp",
+      "actor",
+      "org",
+      "actor_id",
+      "request_id",
+      "repo_id",
+      "org_id",
+      "operation_type",
+      "action",
+      "user_agent",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "required_deployments_enforcement_level",
+      "merge_queue_enforcement_level",
+      "create_protected"
+    ]
+  },
+  {
+    "action": "protected_branch.dismiss_stale_reviews",
+    "description": "Enforcement of dismissing stale pull requests was updated on a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "dismiss_stale_reviews_on_push",
+      "org_id",
+      "action",
+      "created_at",
+      "request_id",
+      "_document_id",
+      "@timestamp",
+      "actor_id",
+      "repo_id",
+      "operation_type",
+      "actor",
+      "repo",
+      "org",
+      "name",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.dismissal_restricted_users_teams",
+    "description": "Enforcement of restricting users and/or teams who can dismiss reviews was updated on a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "repo_id",
+      "actor",
+      "oauth_application_id",
+      "authorized_actors_only",
+      "authorized_actors",
+      "created_at",
+      "user_agent",
+      "name",
+      "_document_id",
+      "org_id",
+      "request_id",
+      "@timestamp",
+      "actor_id",
+      "org",
+      "action",
+      "operation_type",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.policy_override",
+    "description": "A branch protection requirement was overridden by a repository administrator.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo_id",
+      "created_at",
+      "actor",
+      "reasons",
+      "@timestamp",
+      "before",
+      "after",
+      "actor_id",
+      "repo",
+      "operation_type",
+      "user_agent",
+      "branch",
+      "overridden_codes",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "request_id",
+      "referrer",
+      "business",
+      "business_id",
+      "deploy_key_fingerprint",
+      "token_scopes",
+      "programmatic_access_type",
+      "compliant_pull_request_ids",
+      "rule_suite_id"
+    ]
+  },
+  {
+    "action": "protected_branch.rejected_ref_update",
+    "description": "A branch update attempt was rejected.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "org",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "org_id",
+      "operation_type",
+      "request_id",
+      "repo_id",
+      "actor",
+      "branch",
+      "before",
+      "overridden_codes",
+      "after",
+      "action",
+      "reasons",
+      "actor_id",
+      "business_id",
+      "deploy_key_fingerprint",
+      "token_scopes",
+      "programmatic_access_type",
+      "compliant_pull_request_ids",
+      "actor_is_bot",
+      "rule_suite_id"
+    ]
+  },
+  {
+    "action": "protected_branch.update_admin_enforced",
+    "description": "Branch protection was enforced for repository administrators.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor_id",
+      "admin_enforced",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "org",
+      "name",
+      "repo",
+      "@timestamp",
+      "action",
+      "repo_id",
+      "org_id",
+      "_document_id",
+      "created_at",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_allow_deletions_enforcement_level",
+    "description": "Branch deletion was enabled or disabled for a protected branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "name",
+      "operation_type",
+      "request_id",
+      "repo",
+      "@timestamp",
+      "org_id",
+      "org",
+      "action",
+      "allow_deletions_enforcement_level",
+      "_document_id",
+      "created_at",
+      "actor_id",
+      "user_agent",
+      "actor",
+      "repo_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "protected_branch.update_allow_force_pushes_enforcement_level",
+    "description": "Force pushes were enabled or disabled for a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "actor_id",
+      "name",
+      "_document_id",
+      "actor",
+      "repo",
+      "operation_type",
+      "request_id",
+      "allow_force_pushes_enforcement_level",
+      "@timestamp",
+      "org",
+      "action",
+      "created_at",
+      "user_agent",
+      "repo_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_ignore_approvals_from_contributors",
+    "description": "Ignoring of approvals from contributors to a pull request was enabled or disabled for a branch.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "ignore_approvals_from_contributors",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
+  },
+  {
+    "action": "protected_branch.update_linear_history_requirement_enforcement_level",
+    "description": "Required linear commit history was enabled or disabled for a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "action",
+      "user_agent",
+      "operation_type",
+      "actor",
+      "linear_history_requirement_enforcement_level",
+      "repo",
+      "request_id",
+      "name",
+      "org_id",
+      "repo_id",
+      "org",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_lock_allows_fetch_and_merge",
+    "description": "Fork syncing was enabled or disabled for a read-only branch",
+    "docs_reference_links": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "lock_allows_fetch_and_merge",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch"
+  },
+  {
+    "action": "protected_branch.update_lock_branch_enforcement_level",
+    "description": "The enforcement of a branch lock was updated.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "enforcement_level",
+      "lock_branch_enforcement_level",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#lock-branch"
+  },
+  {
+    "action": "protected_branch.update_merge_queue_enforcement_level",
+    "description": "Enforcement of the merge queue was modified for a branch.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "merge_queue_enforcement_level",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue"
+  },
+  {
+    "action": "protected_branch.update_name",
+    "description": "A branch name pattern was updated for a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "old_name",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "protected_branch.update_pull_request_reviews_enforcement_level",
+    "description": "Enforcement of required pull request reviews was updated for a branch. Can be 0 (deactivated), 1 (non-admins), or 2 (everyone).",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "name",
+      "org_id",
+      "_document_id",
+      "actor_id",
+      "@timestamp",
+      "business_id",
+      "request_id",
+      "pull_request_reviews_enforcement_level",
+      "org",
+      "repo",
+      "action",
+      "business",
+      "user_agent",
+      "created_at",
+      "repo_id",
+      "operation_type",
+      "actor",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_require_code_owner_review",
+    "description": "Enforcement of required code owner review was updated for a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org_id",
+      "created_at",
+      "require_code_owner_review",
+      "operation_type",
+      "name",
+      "user_agent",
+      "action",
+      "@timestamp",
+      "actor",
+      "actor_id",
+      "repo",
+      "request_id",
+      "org",
+      "repo_id",
+      "_document_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_require_last_push_approval",
+    "description": "Someone other than the person who pushed the last code-modifying commit to the branch must approve pull requests for the branch.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "require_last_push_approval",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-pull-request-reviews-before-merging"
+  },
+  {
+    "action": "protected_branch.update_required_approving_review_count",
+    "description": "Enforcement of the required number of approvals before merging was updated on a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "required_approving_review_count",
+      "repo",
+      "request_id",
+      "repo_id",
+      "created_at",
+      "actor",
+      "operation_type",
+      "user_agent",
+      "name",
+      "org_id",
+      "action",
+      "actor_id",
+      "_document_id",
+      "org",
+      "@timestamp",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_required_status_checks_enforcement_level",
+    "description": "Enforcement of required status checks was updated for a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "org_id",
+      "user_agent",
+      "@timestamp",
+      "_document_id",
+      "name",
+      "repo",
+      "action",
+      "business_id",
+      "repo_id",
+      "business",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "request_id",
+      "required_status_checks_enforcement_level",
+      "org",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_signature_requirement_enforcement_level",
+    "description": "Enforcement of required commit signing was updated for a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "name",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_id",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "actor",
+      "actor_id",
+      "signature_requirement_enforcement_level",
+      "repo",
+      "user_agent",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "protected_branch.update_strict_required_status_checks_policy",
+    "description": "Enforcement of required status checks was updated for a branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor_id",
+      "_document_id",
+      "org",
+      "@timestamp",
+      "created_at",
+      "repo_id",
+      "org_id",
+      "user_agent",
+      "name",
+      "actor",
+      "repo",
+      "operation_type",
+      "action",
+      "strict_required_status_checks_policy",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "public_key.create",
+    "description": "An SSH key was added to a user account or a deploy key was added to a repository.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account",
+    "fields": [
+      "read_only",
+      "user_agent",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "_document_id",
+      "key",
+      "fingerprint",
+      "actor",
+      "action",
+      "user",
+      "user_id",
+      "@timestamp",
+      "request_id",
+      "title",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account"
+  },
+  {
+    "action": "public_key.delete",
+    "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.",
+    "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys",
+    "fields": [
+      "fingerprint",
+      "user_agent",
+      "read_only",
+      "explanation",
+      "repo",
+      "@timestamp",
+      "action",
+      "key",
+      "operation_type",
+      "_document_id",
+      "actor",
+      "title",
+      "request_id",
+      "actor_id",
+      "repo_id",
+      "created_at",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys"
+  },
+  {
+    "action": "public_key.unverification_failure",
+    "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "title",
+      "key",
+      "fingerprint",
+      "read_only",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys"
+  },
+  {
+    "action": "public_key.unverify",
+    "description": "A user account's SSH key or a repository's deploy key was unverified.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys",
+    "fields": [
+      "created_at",
+      "operation_type",
+      "_document_id",
+      "title",
+      "request_id",
+      "key",
+      "action",
+      "actor",
+      "read_only",
+      "explanation",
+      "repo_id",
+      "@timestamp",
+      "actor_id",
+      "repo",
+      "user_agent",
+      "fingerprint"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys"
+  },
+  {
+    "action": "public_key.update",
+    "description": "A user account's SSH key or a repository's deploy key was updated.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys",
+    "fields": [
+      "actor",
+      "user_agent",
+      "key",
+      "fingerprint",
+      "read_only",
+      "repo_id",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "repo",
+      "action",
+      "_document_id",
+      "request_id",
+      "title",
+      "@timestamp",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys"
+  },
+  {
+    "action": "public_key.verification_failure",
+    "description": "A user account's SSH key or a repository's deploy key was unable to be verified.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys",
+    "fields": [
+      "repo_id",
+      "actor",
+      "key",
+      "fingerprint",
+      "@timestamp",
+      "request_id",
+      "actor_id",
+      "oauth_application_id",
+      "title",
+      "action",
+      "user_agent",
+      "created_at",
+      "repo",
+      "read_only",
+      "operation_type",
+      "_document_id",
+      "user",
+      "user_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys"
+  },
+  {
+    "action": "public_key.verify",
+    "description": "A user account's SSH key or a repository's deploy key was verified.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys",
+    "fields": [
+      "operation_type",
+      "user",
+      "@timestamp",
+      "_document_id",
+      "action",
+      "created_at",
+      "key",
+      "fingerprint",
+      "actor_id",
+      "actor",
+      "title",
+      "user_agent",
+      "user_id",
+      "request_id",
+      "read_only",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys"
+  },
+  {
+    "action": "pull_request.close",
+    "description": "A pull request was closed without being merged.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/closing-a-pull-request"
+  },
+  {
+    "action": "pull_request.converted_to_draft",
+    "description": "A pull request was converted to a draft.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft"
+  },
+  {
+    "action": "pull_request.create",
+    "description": "A pull request was created.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request"
+  },
+  {
+    "action": "pull_request.create_review_request",
+    "description": "A review was requested on a pull request.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "business_id",
+      "org_id",
+      "reviewer_type",
+      "reviewer",
+      "reviewer_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews"
+  },
+  {
+    "action": "pull_request.in_progress",
+    "description": "A pull request was marked as in progress.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "pull_request.indirect_merge",
+    "description": "A pull request was considered merged because the pull request's commits were merged into the target branch.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "pull_request.merge",
+    "description": "A pull request was merged.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/incorporating-changes-from-a-pull-request/merging-a-pull-request"
+  },
+  {
+    "action": "pull_request.ready_for_review",
+    "description": "A pull request was marked as ready for review.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#marking-a-pull-request-as-ready-for-review"
+  },
+  {
+    "action": "pull_request.rebase",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "pull_request_url",
+      "pull_request_title",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "pull_request.remove_review_request",
+    "description": "A review request was removed from a pull request.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "business_id",
+      "org_id",
+      "reviewer_type",
+      "reviewer",
+      "reviewer_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews"
+  },
+  {
+    "action": "pull_request.reopen",
+    "description": "A pull request was reopened after previously being closed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "pull_request_review_comment.create",
+    "description": "A review comment was added to a pull request.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "comment_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/about-pull-request-reviews"
+  },
+  {
+    "action": "pull_request_review_comment.delete",
+    "description": "A review comment on a pull request was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "actor",
+      "@timestamp",
+      "_document_id",
+      "repo",
+      "created_at",
+      "request_id",
+      "comment_id",
+      "actor_id",
+      "repo_id",
+      "action",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "pull_request_review_comment.update",
+    "description": "A review comment on a pull request was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "user_agent",
+      "request_id",
+      "actor_id",
+      "action",
+      "created_at",
+      "actor",
+      "_document_id",
+      "@timestamp",
+      "comment_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "pull_request_review.delete",
+    "description": "A review on a pull request was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "review_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "pull_request_review.dismiss",
+    "description": "A review on a pull request was dismissed.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "business_id",
+      "review_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/dismissing-a-pull-request-review"
+  },
+  {
+    "action": "pull_request_review.submit",
+    "description": "A review on a pull request was submitted.",
+    "docs_reference_links": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "pull_request_id",
+      "review_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "pull_request_url",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/reviewing-proposed-changes-in-a-pull-request#submitting-your-review"
+  },
+  {
+    "action": "repo.access",
+    "description": "The visibility of a repository changed.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility",
+    "fields": [
+      "repo_id",
+      "user",
+      "request_id",
+      "operation_type",
+      "@timestamp",
+      "actor_id",
+      "user_id",
+      "created_at",
+      "user_agent",
+      "actor",
+      "action",
+      "repo",
+      "visibility",
+      "_document_id",
+      "previous_visibility",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility"
+  },
+  {
+    "action": "repo.actions_enabled",
+    "description": "GitHub Actions was enabled for a repository.",
+    "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api"
+  },
+  {
+    "action": "repo.add_member",
+    "description": "A collaborator was added to a repository.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository",
+    "fields": [
+      "visibility",
+      "repo",
+      "created_at",
+      "user_agent",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "repo_id",
+      "user",
+      "request_id",
+      "action",
+      "user_id",
+      "oauth_application_id",
+      "org",
+      "org_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Inviting collaborators to a personal repository"
+  },
+  {
+    "action": "repo.add_topic",
+    "description": "A topic was added to a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics",
+    "fields": [
+      "action",
+      "user_agent",
+      "actor",
+      "repo",
+      "repo_id",
+      "user",
+      "org",
+      "org_id",
+      "request_id",
+      "actor_id",
+      "topic",
+      "@timestamp",
+      "_document_id",
+      "user_id",
+      "created_at",
+      "operation_type",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics"
+  },
+  {
+    "action": "repo.advanced_security_disabled",
+    "description": "GitHub Advanced Security was disabled for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "repository",
+      "repository_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository"
+  },
+  {
+    "action": "repo.advanced_security_enabled",
+    "description": "GitHub Advanced Security was enabled for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "repository",
+      "repository_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository"
+  },
+  {
+    "action": "repo.archived",
+    "description": "A repository was archived.",
+    "docs_reference_links": "/repositories/archiving-a-github-repository",
+    "fields": [
+      "repo_id",
+      "user_agent",
+      "user_id",
+      "created_at",
+      "@timestamp",
+      "repo",
+      "user",
+      "operation_type",
+      "visibility",
+      "action",
+      "actor_id",
+      "actor",
+      "_document_id",
+      "request_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/archiving-a-github-repository"
+  },
+  {
+    "action": "repo.change_merge_setting",
+    "description": "Pull request merge options were changed for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "oauth_application_id",
+      "user_agent",
+      "request_id",
+      "created_at",
+      "@timestamp",
+      "_document_id",
+      "actor_id",
+      "operation_type",
+      "action",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repo.code_scanning_analysis_deleted",
+    "description": "Code scanning analysis for a repository was deleted.",
+    "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "tool",
+      "category",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository"
+  },
+  {
+    "action": "repo.code_scanning_autofix_disabled",
+    "description": "Autofix for code scanning alerts was disabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.code_scanning_autofix_enabled",
+    "description": "Autofix for code scanning alerts was enabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.code_scanning_autofix_third_party_tools_disabled",
+    "description": "Autofix for third party tools for code scanning alerts was disabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.code_scanning_autofix_third_party_tools_enabled",
+    "description": "Autofix for third party tools for code scanning alerts was enabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.code_scanning_configuration_for_branch_deleted",
+    "description": "A code scanning configuration for a branch of a repository was deleted.",
+    "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "tool",
+      "branch",
+      "category",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Resolving code scanning alerts"
+  },
+  {
+    "action": "repo.code_scanning_delegated_alert_dismissal_disabled",
+    "description": "Prevention of direct alert dismissal for code scanning was disabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "repo.code_scanning_delegated_alert_dismissal_enabled",
+    "description": "Prevention of direct alert dismissal for code scanning was enabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "repo.codeql_disabled",
+    "description": "Code scanning using the default setup was disabled for a repository.",
+    "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning"
+  },
+  {
+    "action": "repo.codeql_enabled",
+    "description": "Code scanning using the default setup was enabled for a repository.",
+    "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "query_suite",
+      "threat_model",
+      "languages",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning"
+  },
+  {
+    "action": "repo.codeql_updated",
+    "description": "Code scanning using the default setup was updated for a repository.",
+    "docs_reference_links": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "query_suite",
+      "threat_model",
+      "languages",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning"
+  },
+  {
+    "action": "repo.codespaces_trusted_repo_access_granted",
+    "description": "GitHub Codespaces was granted trusted repository access to this repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo"
+    ]
+  },
+  {
+    "action": "repo.codespaces_trusted_repo_access_revoked",
+    "description": "GitHub Codespaces trusted repository access to this repository was revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "repo.config.disable_collaborators_only",
+    "description": "The interaction limit for collaborators only was disabled.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "user_agent",
+      "actor",
+      "actor_id",
+      "repo_id",
+      "_document_id",
+      "action",
+      "created_at",
+      "repo",
+      "operation_type",
+      "@timestamp",
+      "request_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.config.disable_contributors_only",
+    "description": "The interaction limit for prior contributors only was disabled in a repository.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "repo",
+      "@timestamp",
+      "request_id",
+      "actor",
+      "_document_id",
+      "user_agent",
+      "actor_id",
+      "repo_id",
+      "action",
+      "operation_type",
+      "created_at"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.config.disable_sockpuppet_disallowed",
+    "description": "The interaction limit for existing users only was disabled in a repository.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "actor",
+      "request_id",
+      "repo_id",
+      "action",
+      "user_agent",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "actor_id",
+      "repo",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.config.enable_collaborators_only",
+    "description": "The interaction limit for collaborators only was enabled in a repository  Users that are not collaborators or organization members were unable to interact with a repository for a set duration.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "actor",
+      "oauth_application_id",
+      "created_at",
+      "action",
+      "request_id",
+      "repo_id",
+      "repo",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "actor_id",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.config.enable_contributors_only",
+    "description": "The interaction limit for prior contributors only was enabled in a repository  Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "operation_type",
+      "created_at",
+      "actor",
+      "org",
+      "action",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "org_id",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.config.enable_sockpuppet_disallowed",
+    "description": "The interaction limit for existing users was enabled in a repository  New users aren't able to interact with a repository for a set duration  Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "actor",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "request_id",
+      "action",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.configure_self_hosted_jit_runner",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "token_id",
+      "token_scopes",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.create",
+    "description": "A repository was created.",
+    "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository",
+    "fields": [
+      "repo",
+      "user_id",
+      "visibility",
+      "repo_id",
+      "user",
+      "request_id",
+      "actor_id",
+      "action",
+      "operation_type",
+      "request_category",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "actor",
+      "user_agent",
+      "org",
+      "oauth_application_id",
+      "org_id",
+      "request_method",
+      "business",
+      "business_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository"
+  },
+  {
+    "action": "repo.create_actions_secret",
+    "description": "A GitHub Actions secret was created for a repository.",
+    "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "repo",
+      "repo_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Using secrets in GitHub Actions"
+  },
+  {
+    "action": "repo.create_actions_variable",
+    "description": "A GitHub Actions variable was created for a repository.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "repo.create_integration_secret",
+    "description": "A Codespaces or Dependabot secret was created for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "visibility",
+      "integration",
+      "repo",
+      "repo_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.destroy",
+    "description": "A repository was deleted.",
+    "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository",
+    "fields": [
+      "repo",
+      "_document_id",
+      "user_agent",
+      "user_id",
+      "actor",
+      "action",
+      "user",
+      "repo_id",
+      "operation_type",
+      "request_category",
+      "actor_id",
+      "visibility",
+      "request_id",
+      "created_at",
+      "@timestamp",
+      "request_method",
+      "oauth_application_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository"
+  },
+  {
+    "action": "repo.download_zip",
+    "description": "A source code archive of a repository was downloaded as a ZIP file.",
+    "docs_reference_links": "/repositories/working-with-files/using-files/downloading-source-code-archives",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/working-with-files/using-files/downloading-source-code-archives"
+  },
+  {
+    "action": "repo.immutable_releases_settings_disabled",
+    "description": "The setting for immutable releases was disabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repo.immutable_releases_settings_enabled",
+    "description": "The setting for immutable releases was enabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repo.pages_cname",
+    "description": "A GitHub Pages custom domain was modified in a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "@timestamp",
+      "visibility",
+      "repo",
+      "repo_id",
+      "user",
+      "request_id",
+      "actor_id",
+      "cname",
+      "user_agent",
+      "user_id",
+      "created_at",
+      "_document_id",
+      "action",
+      "operation_type",
+      "old_cname",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repo.pages_create",
+    "description": "A GitHub Pages site was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "user",
+      "_document_id",
+      "user_id",
+      "visibility",
+      "action",
+      "user_agent",
+      "operation_type",
+      "repo_id",
+      "created_at",
+      "@timestamp",
+      "request_id",
+      "actor",
+      "repo",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repo.pages_destroy",
+    "description": "A GitHub Pages site was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "user_id",
+      "action",
+      "request_id",
+      "user",
+      "repo",
+      "user_agent",
+      "_document_id",
+      "actor_id",
+      "@timestamp",
+      "actor",
+      "visibility",
+      "operation_type",
+      "repo_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repo.pages_https_redirect_disabled",
+    "description": "HTTPS redirects were disabled for a GitHub Pages site.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "actor_id",
+      "repo_id",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "visibility",
+      "user_id",
+      "request_id",
+      "repo",
+      "@timestamp",
+      "operation_type",
+      "action",
+      "created_at",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.pages_https_redirect_enabled",
+    "description": "HTTPS redirects were enabled for a GitHub Pages site.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "user_id",
+      "created_at",
+      "visibility",
+      "actor",
+      "actor_id",
+      "user",
+      "operation_type",
+      "repo_id",
+      "action",
+      "repo",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.pages_private",
+    "description": "A GitHub Pages site visibility was changed to private.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "repo.pages_public",
+    "description": "A GitHub Pages site visibility was changed to public.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.pages_soft_delete",
+    "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.pages_soft_delete_restore",
+    "description": "A GitHub Pages site that was previously soft-deleted was restored.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.pages_source",
+    "description": "A GitHub Pages source was modified.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "actor_id",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "@timestamp",
+      "repo_id",
+      "user",
+      "_document_id",
+      "request_id",
+      "visibility",
+      "repo",
+      "created_at",
+      "action",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repo.register_self_hosted_runner",
+    "description": "A new self-hosted runner was registered.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository",
+    "fields": [
+      "actor_id",
+      "repo",
+      "operation_type",
+      "action",
+      "@timestamp",
+      "actor",
+      "user_agent",
+      "created_at",
+      "_document_id",
+      "request_id",
+      "repo_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Adding self-hosted runners"
+  },
+  {
+    "action": "repo.remove_actions_secret",
+    "description": "A GitHub Actions secret was deleted for a repository.",
+    "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Using secrets in GitHub Actions"
+  },
+  {
+    "action": "repo.remove_actions_variable",
+    "description": "A GitHub Actions variable was deleted for a repository.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "repo.remove_integration_secret",
+    "description": "A Codespaces or Dependabot secret was deleted for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "integration",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.remove_member",
+    "description": "A collaborator was removed from a repository.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository",
+    "fields": [
+      "request_id",
+      "user",
+      "business",
+      "action",
+      "actor_id",
+      "org",
+      "org_id",
+      "actor",
+      "created_at",
+      "repo_id",
+      "user_agent",
+      "business_id",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "visibility",
+      "repo",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Removing a collaborator from a personal repository"
+  },
+  {
+    "action": "repo.remove_self_hosted_runner",
+    "description": "A self-hosted runner was removed.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository",
+    "fields": [
+      "request_id",
+      "actor_id",
+      "repo_id",
+      "@timestamp",
+      "_document_id",
+      "repo",
+      "org_id",
+      "action",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "created_at",
+      "org",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Removing self-hosted runners"
+  },
+  {
+    "action": "repo.remove_topic",
+    "description": "A topic was removed from a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "action",
+      "repo_id",
+      "user_agent",
+      "topic",
+      "operation_type",
+      "user_id",
+      "org",
+      "org_id",
+      "actor",
+      "business",
+      "request_id",
+      "repo",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "actor_id",
+      "business_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repo.rename",
+    "description": "A repository was renamed.",
+    "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository",
+    "fields": [
+      "user_agent",
+      "@timestamp",
+      "request_id",
+      "actor_id",
+      "actor",
+      "old_name",
+      "repo",
+      "user_id",
+      "created_at",
+      "user",
+      "action",
+      "operation_type",
+      "visibility",
+      "repo_id",
+      "_document_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository"
+  },
+  {
+    "action": "repo.rename_branch",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "old_branch",
+      "new_branch",
+      "default_branch",
+      "repo",
+      "repo_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repo.restore",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "action",
+      "_document_id",
+      "actor_id",
+      "user",
+      "operation_type",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "@timestamp",
+      "created_at",
+      "actor",
+      "user_id"
+    ]
+  },
+  {
+    "action": "repo.self_hosted_runner_offline",
+    "description": "The runner application was stopped. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner",
+    "fields": [
+      "repo_id",
+      "repo",
+      "org_id",
+      "org",
+      "runner_id",
+      "runner_name",
+      "action",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners"
+  },
+  {
+    "action": "repo.self_hosted_runner_online",
+    "description": "The runner application was started. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/monitoring-and-troubleshooting-self-hosted-runners#checking-the-status-of-a-self-hosted-runner",
+    "fields": [
+      "repo_id",
+      "repo",
+      "org_id",
+      "org",
+      "runner_id",
+      "runner_name",
+      "action",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Monitoring and troubleshooting self-hosted runners"
+  },
+  {
+    "action": "repo.self_hosted_runner_updated",
+    "description": "The runner application was updated. This event is not included in the JSON/CSV export.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners#about-self-hosted-runners",
+    "fields": [
+      "repo_id",
+      "runner_id",
+      "runner_name",
+      "source_version",
+      "target_version",
+      "runner_group_id",
+      "runner_group_name"
+    ],
+    "docs_reference_titles": "Self-hosted runners"
+  },
+  {
+    "action": "repo.set_actions_cache_retention_policy",
+    "description": "The cache retention policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
+  {
+    "action": "repo.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
+  {
+    "action": "repo.set_actions_fork_pr_approvals_policy",
+    "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "policy",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "public_repo"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks"
+  },
+  {
+    "action": "repo.set_actions_private_fork_pr_approvals_policy",
+    "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "visibility",
+      "policy",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories"
+  },
+  {
+    "action": "repo.set_actions_retention_limit",
+    "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "limit",
+      "repo",
+      "repo_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository"
+  },
+  {
+    "action": "repo.set_default_workflow_permissions",
+    "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository"
+  },
+  {
+    "action": "repo.set_fork_pr_workflows_policy",
+    "description": "Triggered when the policy for workflows on private repository forks is changed.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "policy",
+      "repo",
+      "repo_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks"
+  },
+  {
+    "action": "repo.set_workflow_permission_can_approve_pr",
+    "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests"
+  },
+  {
+    "action": "repo.staff_unlock",
+    "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "actor_id",
+      "created_at",
+      "actor",
+      "repo_id",
+      "action",
+      "org",
+      "org_id",
+      "request_id",
+      "repo",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "repo.transfer",
+    "description": "A user accepted a request to receive a transferred repository.",
+    "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository",
+    "fields": [
+      "@timestamp",
+      "user_id",
+      "_document_id",
+      "request_id",
+      "actor_id",
+      "repo_id",
+      "owner",
+      "user",
+      "old_user",
+      "action",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "repo",
+      "visibility",
+      "repo_was",
+      "actor"
+    ],
+    "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository"
+  },
+  {
+    "action": "repo.transfer_outgoing",
+    "description": "A repository was transferred to another repository network.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "new_nwo",
+      "visibility",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "public_repo",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.transfer_start",
+    "description": "A user sent a request to transfer a repository to another user or organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "_document_id",
+      "operation_type",
+      "user_id",
+      "request_id",
+      "user",
+      "action",
+      "user_agent",
+      "created_at",
+      "actor",
+      "visibility",
+      "repo_id",
+      "actor_id",
+      "repo",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.unarchived",
+    "description": "A repository was unarchived.",
+    "docs_reference_links": "/repositories/archiving-a-github-repository",
+    "fields": [
+      "actor",
+      "request_id",
+      "actor_id",
+      "repo",
+      "operation_type",
+      "created_at",
+      "_document_id",
+      "repo_id",
+      "user",
+      "@timestamp",
+      "visibility",
+      "user_agent",
+      "user_id",
+      "action",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/archiving-a-github-repository"
+  },
+  {
+    "action": "repo.update_actions_access_settings",
+    "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "policy",
+      "old_policy",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "repo.update_actions_secret",
+    "description": "A GitHub Actions secret was updated for a repository.",
+    "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "key",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Using secrets in GitHub Actions"
+  },
+  {
+    "action": "repo.update_actions_settings",
+    "description": "A repository administrator changed GitHub Actions policy settings for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "new_policy",
+      "old_policy",
+      "updated_access_policy",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repo.update_actions_variable",
+    "description": "A GitHub Actions variable was updated for a repository.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "repo.update_default_branch",
+    "description": "The default branch for a repository was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repo.update_integration_secret",
+    "description": "A Codespaces or Dependabot secret was updated for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "visibility",
+      "integration",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.update_member",
+    "description": "A user's permission to a repository was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "action",
+      "_document_id",
+      "actor",
+      "repo_id",
+      "created_at",
+      "oauth_application_id",
+      "user",
+      "@timestamp",
+      "repo",
+      "operation_type",
+      "request_id",
+      "org_id",
+      "actor_id",
+      "visibility",
+      "old_permission",
+      "org",
+      "user_id",
+      "old_base_role",
+      "old_repo_permission",
+      "old_repo_base_role",
+      "new_repo_base_role",
+      "new_repo_permission",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repository_advisory.close",
+    "description": "Someone closed a security advisory.",
+    "docs_reference_links": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories",
+    "fields": [
+      "actor",
+      "repo",
+      "@timestamp",
+      "business",
+      "business_id",
+      "user_agent",
+      "actor_id",
+      "request_id",
+      "action",
+      "operation_type",
+      "created_at",
+      "repo_id",
+      "_document_id",
+      "org",
+      "org_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories"
+  },
+  {
+    "action": "repository_advisory.cve_request",
+    "description": "Someone requested a CVE (Common Vulnerabilities and Exposures) number from GitHub for a draft security advisory.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo_id",
+      "repo",
+      "org_id",
+      "actor",
+      "action",
+      "request_id",
+      "org",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "actor_id",
+      "_document_id",
+      "created_at"
+    ]
+  },
+  {
+    "action": "repository_advisory.github_broadcast",
+    "description": "GitHub made a security advisory public in the GitHub Advisory Database.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo"
+    ]
+  },
+  {
+    "action": "repository_advisory.github_withdraw",
+    "description": "GitHub withdrew a security advisory that was published in error.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "repository_advisory.open",
+    "description": "Someone opened a draft security advisory.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "user_agent",
+      "actor_id",
+      "actor",
+      "repo",
+      "created_at",
+      "_document_id",
+      "repo_id",
+      "action",
+      "@timestamp",
+      "request_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_advisory.publish",
+    "description": "Someone published a security advisory.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "user_agent",
+      "actor_id",
+      "@timestamp",
+      "actor",
+      "repo_id",
+      "_document_id",
+      "repo",
+      "business_id",
+      "business",
+      "request_id",
+      "action",
+      "created_at",
+      "org_id",
+      "org"
+    ]
+  },
+  {
+    "action": "repository_advisory.reopen",
+    "description": "Someone reopened as draft security advisory.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "user_agent",
+      "repo",
+      "action",
+      "created_at",
+      "@timestamp",
+      "request_id",
+      "actor_id",
+      "_document_id",
+      "actor",
+      "repo_id",
+      "public_repo"
+    ]
+  },
+  {
+    "action": "repository_advisory.update",
+    "description": "Someone edited a draft or published security advisory.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "repo_id",
+      "org_id",
+      "business",
+      "actor",
+      "user_agent",
+      "created_at",
+      "_document_id",
+      "business_id",
+      "repo",
+      "action",
+      "operation_type",
+      "org",
+      "@timestamp",
+      "request_id"
+    ]
+  },
+  {
+    "action": "repository_branch_protection_evaluation.disable",
+    "description": "Branch protections were disabled for the repository.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "business_id",
+      "user",
+      "user_id",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
+  },
+  {
+    "action": "repository_branch_protection_evaluation.enable",
+    "description": "Branch protections were enabled for this repository.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "business_id",
+      "user",
+      "user_id",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule"
+  },
+  {
+    "action": "repository_code_security.disable",
+    "description": "Code security was disabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repository_code_security.enable",
+    "description": "Code security was enabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repository_content_analysis.disable",
+    "description": "Data use settings were disabled for a private repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories",
+    "fields": [
+      "user",
+      "repo_id",
+      "request_id",
+      "actor_id",
+      "created_at",
+      "user_agent",
+      "action",
+      "operation_type",
+      "actor",
+      "repo",
+      "user_id",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories"
+  },
+  {
+    "action": "repository_content_analysis.enable",
+    "description": "Data use settings were enabled for a private repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories",
+    "fields": [
+      "user",
+      "org",
+      "user_id",
+      "repo_id",
+      "@timestamp",
+      "request_id",
+      "actor",
+      "action",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "repo",
+      "user_agent",
+      "org_id",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories"
+  },
+  {
+    "action": "repository_dependency_graph.disable",
+    "description": "The dependency graph was disabled for a private repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories",
+    "fields": [
+      "repo_id",
+      "operation_type",
+      "user_id",
+      "repo",
+      "_document_id",
+      "actor",
+      "user",
+      "action",
+      "@timestamp",
+      "org_id",
+      "actor_id",
+      "org",
+      "created_at",
+      "user_agent",
+      "request_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-fea, tures-for-your-repository/managing-security-and-analysis-settings-for-your-repository#enabling-or-disabling-security-and-analysis-features-for-private-repositories"
+  },
+  {
+    "action": "repository_dependency_graph.enable",
+    "description": "The dependency graph was enabled for a private repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "user",
+      "org",
+      "org_id",
+      "action",
+      "repo",
+      "user_id",
+      "created_at",
+      "user_agent",
+      "actor_id",
+      "repo_id",
+      "operation_type",
+      "actor",
+      "@timestamp",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repository_image.create",
+    "description": "An image to represent a repository was uploaded.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "repo_id",
+      "action",
+      "request_id",
+      "actor",
+      "content_type",
+      "repo",
+      "@timestamp",
+      "_document_id",
+      "user",
+      "user_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_image.destroy",
+    "description": "An image to represent a repository was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "content_type",
+      "created_at",
+      "actor_id",
+      "user_id",
+      "operation_type",
+      "request_id",
+      "_document_id",
+      "actor",
+      "repo_id",
+      "user_agent",
+      "repo",
+      "user",
+      "action",
+      "@timestamp",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_invitation.accept",
+    "description": "An invitation to join a repository was accepted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "created_at",
+      "request_id",
+      "repo",
+      "invitee",
+      "operation_type",
+      "actor",
+      "repo_id",
+      "_document_id",
+      "action",
+      "user_agent",
+      "inviter",
+      "@timestamp",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_invitation.cancel",
+    "description": "An invitation to join a repository was canceled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "inviter",
+      "action",
+      "operation_type",
+      "_document_id",
+      "repo_id",
+      "repo",
+      "@timestamp",
+      "user_agent",
+      "invitee",
+      "created_at",
+      "request_id",
+      "actor",
+      "actor_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_invitation.create",
+    "description": "An invitation to join a repository was sent.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "invitee",
+      "action",
+      "request_id",
+      "inviter",
+      "repo",
+      "created_at",
+      "user_agent",
+      "repo_id",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_invitation.reject",
+    "description": "An invitation to join a repository was declined.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "_document_id",
+      "actor",
+      "invitee",
+      "action",
+      "@timestamp",
+      "request_id",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "inviter",
+      "user_agent",
+      "repo_id"
+    ]
+  },
+  {
+    "action": "repository_limit.reached",
+    "description": "An organization has reached their repository limit.",
+    "docs_reference_links": "repositories/creating-and-managing-repositories/repository-limits",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "limit",
+      "count",
+      "owner",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "repositories/creating-and-managing-repositories/repository-limits"
+  },
+  {
+    "action": "repository_limit.warning",
+    "description": "An organization is approaching their repository limit.",
+    "docs_reference_links": "repositories/creating-and-managing-repositories/repository-limits",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "limit",
+      "count",
+      "owner",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "repositories/creating-and-managing-repositories/repository-limits"
+  },
+  {
+    "action": "repository_projects_change.clear",
+    "description": "The repository projects policy was removed for an organization, or all organizations in the enterprise  Organization owners can now control their repository projects settings.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-projects-in-your-enterprise",
+    "fields": [
+      "request_id",
+      "created_at",
+      "_document_id",
+      "action",
+      "user_agent",
+      "user",
+      "business_id",
+      "business",
+      "operation_type",
+      "actor",
+      "actor_id",
+      "user_id",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Enforcing policies for projects in your enterprise"
+  },
+  {
+    "action": "repository_projects_change.disable",
+    "description": "Repository projects were disabled for a repository, all repositories in an organization, or all organizations in an enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "@timestamp",
+      "repo",
+      "action",
+      "operation_type",
+      "_document_id",
+      "actor_id",
+      "user",
+      "user_id",
+      "user_agent",
+      "repo_id",
+      "actor",
+      "request_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_projects_change.enable",
+    "description": "Repository projects were enabled for a repository, all repositories in an organization, or all organizations in an enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "actor",
+      "repo_id",
+      "org",
+      "request_id",
+      "user",
+      "user_agent",
+      "created_at",
+      "org_id",
+      "action",
+      "user_id",
+      "operation_type",
+      "_document_id",
+      "actor_id",
+      "repo"
+    ]
+  },
+  {
+    "action": "repository_ruleset.create",
+    "description": "A repository ruleset was created.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "ruleset_id",
+      "ruleset_name",
+      "ruleset_enforcement",
+      "ruleset_source_type",
+      "ruleset_rules",
+      "ruleset_conditions",
+      "ruleset_bypass_actors",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository"
+  },
+  {
+    "action": "repository_ruleset.destroy",
+    "description": "A repository ruleset was deleted.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "ruleset_id",
+      "ruleset_name",
+      "ruleset_enforcement",
+      "ruleset_source_type",
+      "ruleset_rules",
+      "ruleset_bypass_actors",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset"
+  },
+  {
+    "action": "repository_ruleset.update",
+    "description": "A repository ruleset was edited.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "old_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "ruleset_id",
+      "ruleset_name",
+      "ruleset_enforcement",
+      "ruleset_source_type",
+      "ruleset_rules_updated",
+      "ruleset_conditions_added",
+      "ruleset_conditions_deleted",
+      "ruleset_old_enforcement",
+      "ruleset_rules_added",
+      "ruleset_rules_deleted",
+      "ruleset_old_name",
+      "ruleset_conditions_updated",
+      "ruleset_bypass_actors_added",
+      "ruleset_bypass_actors_deleted",
+      "ruleset_bypass_actors_updated",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset"
+  },
+  {
+    "action": "repository_secret_scanning_automatic_validity_checks.disabled",
+    "description": "Automatic partner validation checks have been disabled at the repository level",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository"
+  },
+  {
+    "action": "repository_secret_scanning_automatic_validity_checks.enabled",
+    "description": "Automatic partner validation checks have been enabled at the repository level",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#allowing-validity-checks-for-partner-patterns-in-a-repository"
+  },
+  {
+    "action": "repository_secret_scanning_custom_pattern.create",
+    "description": "A custom pattern was created for secret scanning in a repository.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "public_repo"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "repository_secret_scanning_custom_pattern.delete",
+    "description": "A custom pattern was removed from secret scanning in a repository.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#removing-a-custom-pattern",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "public_repo"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "repository_secret_scanning_custom_pattern.publish",
+    "description": "A custom pattern was published for secret scanning in a repository.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "repository_secret_scanning_custom_pattern_push_protection.disabled",
+    "description": "Push protection for a custom pattern for secret scanning was disabled for your repository.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "repository_secret_scanning_custom_pattern_push_protection.enabled",
+    "description": "Push protection for a custom pattern for secret scanning was enabled for your repository.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#defining-a-custom-pattern-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "repository_secret_scanning_custom_pattern.update",
+    "description": "Changes to a custom pattern were saved and a dry run was executed for secret scanning in a repository.",
+    "docs_reference_links": "/code-security/secret-scanning/defining-custom-patterns-for-secret-scanning#editing-a-custom-pattern",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "public_repo"
+    ],
+    "docs_reference_titles": "Defining custom patterns for secret scanning"
+  },
+  {
+    "action": "repository_secret_scanning.disable",
+    "description": "Secret scanning was disabled for a repository.",
+    "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "About secret scanning"
+  },
+  {
+    "action": "repository_secret_scanning.enable",
+    "description": "Secret scanning was enabled for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_secret_scanning_generic_secrets.disabled",
+    "description": "Generic secrets have been disabled at the repository level",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_secret_scanning_generic_secrets.enabled",
+    "description": "Generic secrets have been enabled at the repository level",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repository_secret_scanning_non_provider_patterns.disabled",
+    "description": "Secret scanning for non-provider patterns was disabled at the repository level.",
+    "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Supported secret scanning patterns"
+  },
+  {
+    "action": "repository_secret_scanning_non_provider_patterns.enabled",
+    "description": "Secret scanning for non-provider patterns was enabled at the repository level.",
+    "docs_reference_links": "/code-security/secret-scanning/secret-scanning-patterns#non-provider-patterns",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Supported secret scanning patterns"
+  },
+  {
+    "action": "repository_secret_scanning_push_protection_bypass_list.add",
+    "description": "A role or team was added to the push protection bypass list at the repository level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "repository_secret_scanning_push_protection_bypass_list.disable",
+    "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Specific roles or teams\" to \"Anyone with write access\" at the repository level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "repository_secret_scanning_push_protection_bypass_list.enable",
+    "description": "Push protection settings for \"Users who can bypass push protection for secret scanning\" changed from \"Anyone with write access\" to \"Specific roles or teams\" at the repository level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "repository_secret_scanning_push_protection_bypass_list.remove",
+    "description": "A role or team was removed from the push protection bypass list at the repository level.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#enabling-delegated-bypass-for-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "repository_secret_scanning_push_protection.disable",
+    "description": "Secret scanning push protection was disabled for a repository.",
+    "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "repository_secret_scanning_push_protection.enable",
+    "description": "Secret scanning push protection was enabled for a repository.",
+    "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "repository_security_configuration.applied",
+    "description": "A code security configuration was applied to a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "security_configuration_id",
+      "security_configuration_name",
+      "repository_security_configuration_state",
+      "repository_security_configuration_failure_reason",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_security_configuration.failed",
+    "description": "A code security configuration failed to attach to the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "security_configuration_id",
+      "security_configuration_name",
+      "repository_security_configuration_failure_reason",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_security_configuration.removed",
+    "description": "A code security configuration was removed from a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "security_configuration_id",
+      "security_configuration_name",
+      "repository_security_configuration_state",
+      "repository_security_configuration_failure_reason",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_security_configuration.removed_by_settings_change",
+    "description": "A code security configuration was removed due to a change in repository or enterprise settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "security_configuration_id",
+      "security_configuration_name",
+      "repository_security_configuration_state",
+      "repository_security_configuration_failure_reason",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_visibility_change.clear",
+    "description": "The repository visibility change setting was cleared for an organization or enterprise.",
+    "docs_reference_links": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-changes-to-repository-visibility",
+    "fields": [
+      "created_at",
+      "_document_id",
+      "request_id",
+      "actor_id",
+      "business",
+      "action",
+      "operation_type",
+      "user",
+      "user_id",
+      "business_id",
+      "@timestamp",
+      "user_agent",
+      "actor",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/restricting-repository-visibility-changes-in-your-organization, Enforcing repository management policies in your enterprise"
+  },
+  {
+    "action": "repository_visibility_change.disable",
+    "description": "The ability for enterprise members to update a repository's visibility was disabled. Members are unable to change repository visibilities in an organization, or all organizations in an enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "org_id",
+      "created_at",
+      "user_agent",
+      "actor",
+      "actor_id",
+      "org",
+      "operation_type",
+      "_document_id",
+      "@timestamp",
+      "user_id",
+      "action",
+      "request_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_visibility_change.enable",
+    "description": "The ability for enterprise members to update a repository's visibility was enabled. Members are able to change repository visibilities in an organization, or all organizations in an enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "operation_type",
+      "_document_id",
+      "@timestamp",
+      "user_agent",
+      "user",
+      "created_at",
+      "org",
+      "org_id",
+      "action",
+      "actor_id",
+      "user_id",
+      "request_id"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alert.auto_dismiss",
+    "description": "A Dependabot alert was automatically dismissed because its metadata matches an enabled Dependabot rule.",
+    "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "alert_id",
+      "alert_number",
+      "ghsa_id",
+      "action",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "owner",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About Dependabot auto-triage rules"
+  },
+  {
+    "action": "repository_vulnerability_alert.auto_reopen",
+    "description": "A previously auto-dismissed Dependabot alert was automatically reopened because its metadata no longer matches an enabled Dependabot rule.",
+    "docs_reference_links": "/code-security/dependabot/dependabot-alerts/using-alert-rules-to-prioritize-dependabot-alerts",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "alert_id",
+      "alert_number",
+      "ghsa_id",
+      "action",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "owner",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About Dependabot auto-triage rules"
+  },
+  {
+    "action": "repository_vulnerability_alert.create",
+    "description": "GitHub created a Dependabot alert because the repository uses a vulnerable dependency.",
+    "docs_reference_links": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts",
+    "fields": [
+      "operation_type",
+      "request_id",
+      "repo_id",
+      "@timestamp",
+      "user_agent",
+      "alert_id",
+      "action",
+      "repo",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "alert_number",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/code-security/dependabot/dependabot-alerts/about-dependabot-alerts"
+  },
+  {
+    "action": "repository_vulnerability_alert.dismiss",
+    "description": "A Dependabot alert was manually dismissed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo_id",
+      "org_id",
+      "user_id",
+      "request_id",
+      "@timestamp",
+      "operation_type",
+      "user_agent",
+      "alert_id",
+      "actor",
+      "repo",
+      "created_at",
+      "org",
+      "_document_id",
+      "action",
+      "actor_id",
+      "dismiss_reason",
+      "user",
+      "dismiss_comment",
+      "alert_number",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alert.reintroduce",
+    "description": "A Dependabot alert was automatically reopened because the repository resumed use of a vulnerable dependency.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "alert_id",
+      "created_at",
+      "action",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "owner",
+      "_document_id",
+      "@timestamp",
+      "operation_type",
+      "token_scopes",
+      "alert_number"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alert.reopen",
+    "description": "A Dependabot alert was manually reopened.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "alert_id",
+      "created_at",
+      "action",
+      "repo",
+      "repo_id",
+      "owner",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "operation_type",
+      "business",
+      "business_id",
+      "public_repo",
+      "alert_number",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alert.resolve",
+    "description": "Changes were pushed to update and resolve a Dependabot alert in a project dependency.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "alert_id",
+      "repo",
+      "operation_type",
+      "action",
+      "repo_id",
+      "_document_id",
+      "user_agent",
+      "request_id",
+      "@timestamp",
+      "created_at",
+      "actor",
+      "actor_id",
+      "token_scopes",
+      "alert_number",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alert.withdraw",
+    "description": "A Dependabot alert was withdrawn.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "alert_id",
+      "alert_number",
+      "ghsa_id",
+      "created_at",
+      "active",
+      "action",
+      "repository_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "owner",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts.authorized_users_teams",
+    "description": "The list of people or teams authorized to receive Dependabot alerts for the repository was updated.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts",
+    "fields": [
+      "org",
+      "_document_id",
+      "repo",
+      "org_id",
+      "operation_type",
+      "created_at",
+      "actor",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "repo_id",
+      "request_id",
+      "actor_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts"
+  },
+  {
+    "action": "repository_vulnerability_alerts_auto_dismissal.disable",
+    "description": "Automatic dismissal of low-impact Dependabot alerts was disabled for the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts_auto_dismissal.enable",
+    "description": "Automatic dismissal of low-impact Dependabot alerts was enabled for the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts.disable",
+    "description": "Dependabot alerts was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "request_id",
+      "repo_id",
+      "action",
+      "actor_id",
+      "@timestamp",
+      "created_at",
+      "actor",
+      "user_agent",
+      "org_id",
+      "user",
+      "org",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_vulnerability_alerts.enable",
+    "description": "Dependabot alerts was enabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "user_agent",
+      "created_at",
+      "@timestamp",
+      "repo_id",
+      "action",
+      "user",
+      "repo",
+      "org",
+      "org_id",
+      "actor_id",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "request_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "required_status_check.create",
+    "description": "A status check was marked as required for a protected branch.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging",
+    "fields": [
+      "org",
+      "actor_id",
+      "@timestamp",
+      "business",
+      "request_id",
+      "context",
+      "repo_id",
+      "action",
+      "repo",
+      "_document_id",
+      "operation_type",
+      "business_id",
+      "org_id",
+      "actor",
+      "created_at",
+      "user_agent",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging"
+  },
+  {
+    "action": "required_status_check.destroy",
+    "description": "A status check was no longer marked as required for a protected branch.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging",
+    "fields": [
+      "actor_id",
+      "actor",
+      "created_at",
+      "context",
+      "operation_type",
+      "@timestamp",
+      "request_id",
+      "org",
+      "user_agent",
+      "repo_id",
+      "org_id",
+      "action",
+      "_document_id",
+      "repo",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-status-checks-before-merging"
+  },
+  {
+    "action": "restrict_notification_delivery.disable",
+    "description": "Email notification restrictions for an organization or enterprise were disabled.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "business",
+      "business_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+  },
+  {
+    "action": "restrict_notification_delivery.enable",
+    "description": "Email notification restrictions for an organization or enterprise were enabled.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/restricting-email-notifications-for-your-organization, /admin/policies/enforcing-policies-for-your-enterprise/restricting-email-notifications-for-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "business_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Restricting email notifications for your organization, Restricting email notifications for your enterprise"
+  },
+  {
+    "action": "role.create",
+    "description": "A new custom repository role was created.",
+    "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "name",
+      "owner",
+      "base_role",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "role_permissions",
+      "old_role_permissions"
+    ],
+    "docs_reference_titles": "Managing custom repository roles for an organization"
+  },
+  {
+    "action": "role.destroy",
+    "description": "A custom repository role was deleted.",
+    "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "name",
+      "owner",
+      "role_permissions",
+      "base_role",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Managing custom repository roles for an organization"
+  },
+  {
+    "action": "role.update",
+    "description": "A custom repository role was edited.",
+    "docs_reference_links": "/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "owner",
+      "role_permissions",
+      "base_role",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "old_role_permissions",
+      "old_base_role"
+    ],
+    "docs_reference_titles": "Managing custom repository roles for an organization"
+  },
+  {
+    "action": "secret_scanning_alert.create",
+    "description": "GitHub detected a secret and created a secret scanning alert.",
+    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo"
+    ],
+    "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
+  },
+  {
+    "action": "secret_scanning_alert.public_leak",
+    "description": "A secret scanning alert was leaked in a public repo.",
+    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo",
+      "created_at"
+    ],
+    "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
+  },
+  {
+    "action": "secret_scanning_alert.reopen",
+    "description": "A secret scanning alert was reopened.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "secret_type_display_name"
+    ]
+  },
+  {
+    "action": "secret_scanning_alert.report",
+    "description": "A leaked secret was reported to the secret's provider by secret scanning.",
+    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "secret_type",
+      "created_at",
+      "secret_type_display_name",
+      "secret_type_provider",
+      "report_result"
+    ],
+    "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning/resolving-alerts"
+  },
+  {
+    "action": "secret_scanning_alert.resolve",
+    "description": "A secret scanning alert was resolved.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "number",
+      "resolution",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "secret_scanning_alert.revoke",
+    "description": "A secret scanning alert was revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "secret_scanning_alert.validate",
+    "description": "A secret scanning alert was validated.",
+    "docs_reference_links": "/code-security/secret-scanning/managing-alerts-from-secret-scanning",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "created_at",
+      "previous_validity",
+      "current_validity",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo"
+    ],
+    "docs_reference_titles": "/code-security/secret-scanning/managing-alerts-from-secret-scanning"
+  },
+  {
+    "action": "secret_scanning_closure_request.approve",
+    "description": "A request to close a secret scanning alert was approved by a user.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "number",
+      "alert_number",
+      "request_reviewer_comment",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "secret_scanning_closure_request.cancel",
+    "description": "N/A",
+    "docs_reference_links": "A reqeust to close a secret scanning alert was canceled by a user.",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "number",
+      "alert_number",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "A, reqeust, to, close, a, secret, scanning, alert, was, canceled, by, a, user."
+  },
+  {
+    "action": "secret_scanning_closure_request.create",
+    "description": "N/A",
+    "docs_reference_links": "A user requested to close a secret scanning alert.",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "number",
+      "alert_number",
+      "reason",
+      "comment",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "A, user, requested, to, close, a, secret, scanning, alert."
+  },
+  {
+    "action": "secret_scanning_closure_request.deny",
+    "description": "A request to close a secret scanning alert was denied by a user.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "number",
+      "alert_number",
+      "request_reviewer_comment",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "secret_scanning.disable",
+    "description": "Secret scanning was disabled for all existing repositories.",
+    "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "About secret scanning"
+  },
+  {
+    "action": "secret_scanning.enable",
+    "description": "Secret scanning was enabled for all existing repositories.",
+    "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "About secret scanning"
+  },
+  {
+    "action": "secret_scanning_new_repos.disable",
+    "description": "Secret scanning was disabled for all new repositories.",
+    "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes"
+    ],
+    "docs_reference_titles": "About secret scanning"
+  },
+  {
+    "action": "secret_scanning_new_repos.enable",
+    "description": "Secret scanning was enabled for all new repositories.",
+    "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "About secret scanning"
+  },
+  {
+    "action": "secret_scanning_push_protection.bypass",
+    "description": "Triggered when a user bypasses the push protection on a secret detected by secret scanning.",
+    "docs_reference_links": "/code-security/secret-scanning/protecting-pushes-with-secret-scanning#bypassing-push-protection-for-a-secret",
+    "fields": [
+      "repo_id",
+      "repo",
+      "actor_id",
+      "actor",
+      "org_id",
+      "org",
+      "business",
+      "business_id",
+      "number",
+      "created_at",
+      "push_protection_bypass_reason",
+      "secret_type",
+      "secret_type_display_name",
+      "publicly_leaked",
+      "multi_repo",
+      "request_reviewer",
+      "request_reviewer_id"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "secret_scanning_push_protection_request.approve",
+    "description": "A request to bypass secret scanning push protection was approved by a user.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "number",
+      "repository",
+      "repository_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "secret_scanning_push_protection_request.cancel",
+    "description": "A user canceled a request to bypass secret scanning push protection.",
+    "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "number",
+      "repository",
+      "repository_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Working with secret scanning and push protection"
+  },
+  {
+    "action": "secret_scanning_push_protection_request.complete",
+    "description": "A user pushed a commit containing a secret for which there is an approved secret scanning push protection bypass request.",
+    "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "number",
+      "repository",
+      "repository_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Working with secret scanning and push protection"
+  },
+  {
+    "action": "secret_scanning_push_protection_request.deny",
+    "description": "A request to bypass secret scanning push protection was denied by a user.",
+    "docs_reference_links": "/code-security/secret-scanning/push-protection-for-repositories-and-organizations#managing-requests-to-bypass-push-protection",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "number",
+      "repository",
+      "repository_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header",
+      "request_reviewer_comment"
+    ],
+    "docs_reference_titles": "About push protection"
+  },
+  {
+    "action": "secret_scanning_push_protection_request.request",
+    "description": "A user requested to bypass secret scanning push protection.",
+    "docs_reference_links": "/code-security/secret-scanning/working-with-push-protection#requesting-bypass-privileges-when-working-with-the-command-line",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "number",
+      "repository",
+      "repository_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Working with secret scanning and push protection"
+  },
+  {
+    "action": "secret_scanning_scan.completed",
+    "description": "A secret scanning scan has completed on this repository.",
+    "docs_reference_links": "/code-security/secret-scanning/about-secret-scanning",
+    "fields": [
+      "repo_id",
+      "org_id",
+      "business_id",
+      "source",
+      "type",
+      "source_slug",
+      "type_slug",
+      "started_at",
+      "completed_at",
+      "repo",
+      "public_repo",
+      "org",
+      "business",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "secret_types",
+      "custom_pattern_name",
+      "custom_pattern_scope"
+    ],
+    "docs_reference_titles": "About secret scanning"
+  },
+  {
+    "action": "security_configuration.create",
+    "description": "A security configuration was created",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "security_configuration_id",
+      "security_configuration_name",
+      "security_configuration_description",
+      "security_configuration_created_at",
+      "security_configuration_updated_at",
+      "security_configuration_enable_ghas",
+      "security_configuration_private_vulnerability_reporting",
+      "security_configuration_dependency_graph",
+      "security_configuration_dependabot_alerts",
+      "security_configuration_dependabot_security_updates",
+      "security_configuration_code_scanning",
+      "security_configuration_secret_scanning",
+      "security_configuration_secret_scanning_push_protection",
+      "security_configuration_secret_scanning_validity_checks",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "security_configuration_dependency_graph_autosubmit_action",
+      "security_configuration_secret_scanning_non_provider_patterns",
+      "security_configuration_secret_scanning_delegated_bypass",
+      "security_configuration_secret_scanning_generic_secrets",
+      "security_configuration_secret_scanning_delegated_alert_dismissal",
+      "security_configuration_code_scanning_delegated_alert_dismissal",
+      "security_configuration_code_security_sku_enabled",
+      "security_configuration_secret_protection_sku_enabled"
+    ]
+  },
+  {
+    "action": "security_configuration_default.delete",
+    "description": "A default security configuration setting for new repositories was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "default_for_new_private_repos",
+      "default_for_new_public_repos",
+      "security_configuration_name",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "security_configuration_default.update",
+    "description": "A default security configuration setting for new repositories was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "default_for_new_private_repos",
+      "default_for_new_public_repos",
+      "security_configuration_name",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "security_configuration.delete",
+    "description": "A security configuration was deleted",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "security_configuration_id",
+      "security_configuration_name",
+      "security_configuration_description",
+      "security_configuration_created_at",
+      "security_configuration_updated_at",
+      "security_configuration_enable_ghas",
+      "security_configuration_private_vulnerability_reporting",
+      "security_configuration_dependency_graph",
+      "security_configuration_dependabot_alerts",
+      "security_configuration_dependabot_security_updates",
+      "security_configuration_code_scanning",
+      "security_configuration_secret_scanning",
+      "security_configuration_secret_scanning_push_protection",
+      "security_configuration_secret_scanning_validity_checks",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "security_configuration_dependency_graph_autosubmit_action",
+      "security_configuration_secret_scanning_non_provider_patterns",
+      "security_configuration_secret_scanning_delegated_bypass",
+      "security_configuration_secret_scanning_delegated_alert_dismissal",
+      "security_configuration_code_scanning_delegated_alert_dismissal",
+      "security_configuration_code_security_sku_enabled",
+      "security_configuration_secret_protection_sku_enabled"
+    ]
+  },
+  {
+    "action": "security_configuration_policy.update",
+    "description": "A security configuration policy was updated",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "enforcement",
+      "security_configuration_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "security_configuration.update",
+    "description": "A security configuration was updated",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "security_configuration_id",
+      "security_configuration_name",
+      "security_configuration_description",
+      "security_configuration_created_at",
+      "security_configuration_updated_at",
+      "security_configuration_enable_ghas",
+      "security_configuration_private_vulnerability_reporting",
+      "security_configuration_dependency_graph",
+      "security_configuration_dependabot_alerts",
+      "security_configuration_dependabot_security_updates",
+      "security_configuration_code_scanning",
+      "security_configuration_secret_scanning",
+      "security_configuration_secret_scanning_push_protection",
+      "security_configuration_secret_scanning_validity_checks",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "security_configuration_dependency_graph_autosubmit_action",
+      "security_configuration_secret_scanning_non_provider_patterns",
+      "security_configuration_secret_scanning_delegated_bypass",
+      "security_configuration_secret_scanning_generic_secrets",
+      "security_configuration_secret_scanning_delegated_alert_dismissal",
+      "security_configuration_code_scanning_delegated_alert_dismissal",
+      "security_configuration_code_security_sku_enabled",
+      "security_configuration_secret_protection_sku_enabled"
+    ]
+  },
+  {
+    "action": "sponsors.agreement_sign",
+    "description": "A GitHub Sponsors agreement was signed on behalf of an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "sponsors_listing_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "sponsors.custom_amount_settings_change",
+    "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "sponsors_listing_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers"
+  },
+  {
+    "action": "sponsors.fiscal_host_change",
+    "description": "The fiscal host for a GitHub Sponsors listing was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "sponsors_listing_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "sponsors.invoiced_agreement_sign",
+    "description": "An agreement for invoiced billing for GitHub Sponsors was signed.",
+    "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org_id",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/paying-for-github-sponsors-by-invoice"
+  },
+  {
+    "action": "sponsors.repo_funding_links_file_action",
+    "description": "The FUNDING file in a repository was changed.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository",
+    "fields": [
+      "@timestamp",
+      "action",
+      "created_at",
+      "_document_id",
+      "request_id",
+      "repository",
+      "repository_id",
+      "actor",
+      "user_agent",
+      "actor_id",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository"
+  },
+  {
+    "action": "sponsors.sponsor_sponsorship_cancel",
+    "description": "A sponsorship was canceled.",
+    "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship",
+    "fields": [
+      "operation_type",
+      "_document_id",
+      "created_at",
+      "actor",
+      "user",
+      "action",
+      "actor_id",
+      "user_id",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Downgrading a sponsorship"
+  },
+  {
+    "action": "sponsors.sponsor_sponsorship_create",
+    "description": "A sponsorship was created, by sponsoring an account.",
+    "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes",
+    "fields": [
+      "actor",
+      "user_id",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "user",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes"
+  },
+  {
+    "action": "sponsors.sponsor_sponsorship_payment_complete",
+    "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.",
+    "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes",
+    "fields": [
+      "active",
+      "user",
+      "user_id",
+      "actor",
+      "actor_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes"
+  },
+  {
+    "action": "sponsors.sponsor_sponsorship_preference_change",
+    "description": "The option to receive email updates from a sponsored account was changed.",
+    "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship",
+    "fields": [
+      "actor_id",
+      "action",
+      "@timestamp",
+      "request_id",
+      "user_id",
+      "created_at",
+      "user",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship"
+  },
+  {
+    "action": "sponsors.sponsor_sponsorship_tier_change",
+    "description": "A sponsorship was upgraded or downgraded.",
+    "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship",
+    "fields": [
+      "user_id",
+      "actor",
+      "actor_id",
+      "action",
+      "user",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "created_at"
+    ],
+    "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship"
+  },
+  {
+    "action": "sponsors.sponsored_developer_approve",
+    "description": "A GitHub Sponsors account was approved.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account",
+    "fields": [
+      "user_id",
+      "action",
+      "user_agent",
+      "request_id",
+      "actor",
+      "user",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "actor_id",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account"
+  },
+  {
+    "action": "sponsors.sponsored_developer_create",
+    "description": "A GitHub Sponsors account was created.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account",
+    "fields": [
+      "user_id",
+      "operation_type",
+      "request_id",
+      "actor_id",
+      "@timestamp",
+      "_document_id",
+      "user",
+      "action",
+      "created_at",
+      "user_agent",
+      "actor"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account"
+  },
+  {
+    "action": "sponsors.sponsored_developer_disable",
+    "description": "A GitHub Sponsors account was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "sponsors_listing_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "sponsors.sponsored_developer_profile_update",
+    "description": "The profile for GitHub Sponsors account was edited.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors",
+    "fields": [
+      "@timestamp",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "request_id",
+      "actor",
+      "action",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors"
+  },
+  {
+    "action": "sponsors.sponsored_developer_redraft",
+    "description": "A GitHub Sponsors account was returned to draft state from approved state.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "created_at",
+      "request_id",
+      "user",
+      "action",
+      "user_agent",
+      "operation_type",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "user_id"
+    ]
+  },
+  {
+    "action": "sponsors.sponsored_developer_request_approval",
+    "description": "An application for GitHub Sponsors was submitted for approval.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account",
+    "fields": [
+      "user_agent",
+      "user",
+      "@timestamp",
+      "actor_id",
+      "user_id",
+      "request_id",
+      "_document_id",
+      "actor",
+      "action",
+      "operation_type",
+      "created_at"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account"
+  },
+  {
+    "action": "sponsors.sponsored_developer_tier_description_update",
+    "description": "The description for a sponsorship tier was changed.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers",
+    "fields": [
+      "operation_type",
+      "request_id",
+      "actor",
+      "user_id",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "actor_id",
+      "user",
+      "created_at"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers"
+  },
+  {
+    "action": "sponsors.sponsors_patreon_user_create",
+    "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "patreon_email",
+      "patreon_username",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account"
+  },
+  {
+    "action": "sponsors.sponsors_patreon_user_destroy",
+    "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.",
+    "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "patreon_email",
+      "patreon_username",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Unlinking your Patreon account from GitHub"
+  },
+  {
+    "action": "sponsors.update_tier_repository",
+    "description": "A GitHub Sponsors tier changed access for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "sponsors_listing_id",
+      "repo",
+      "repo_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "sponsors.update_tier_welcome_message",
+    "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "sponsors_listing_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "sponsors.withdraw_agreement_signature",
+    "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "sponsors_listing_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "ssh_certificate_authority.create",
+    "description": "An SSH certificate authority for an organization or enterprise was created.",
+    "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise",
+    "fields": [
+      "@timestamp",
+      "_document_id",
+      "fingerprint",
+      "operation_type",
+      "openssh_public_key",
+      "org_id",
+      "actor",
+      "created_at",
+      "org",
+      "action",
+      "user_agent",
+      "actor_id",
+      "request_id"
+    ],
+    "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise"
+  },
+  {
+    "action": "ssh_certificate_authority.destroy",
+    "description": "An SSH certificate authority for an organization or enterprise was deleted.",
+    "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise",
+    "fields": [
+      "created_at",
+      "_document_id",
+      "fingerprint",
+      "operation_type",
+      "actor",
+      "org_id",
+      "openssh_public_key",
+      "org",
+      "action",
+      "user_agent",
+      "actor_id",
+      "@timestamp",
+      "request_id"
+    ],
+    "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise"
+  },
+  {
+    "action": "ssh_certificate_requirement.disable",
+    "description": "The requirement for members to use SSH certificates to access an organization resources was disabled.",
+    "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise",
+    "fields": [
+      "user",
+      "user_agent",
+      "operation_type",
+      "_document_id",
+      "request_id",
+      "org",
+      "org_id",
+      "created_at",
+      "actor",
+      "action",
+      "user_id",
+      "business",
+      "business_id",
+      "@timestamp",
+      "actor_id"
+    ],
+    "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise"
+  },
+  {
+    "action": "ssh_certificate_requirement.enable",
+    "description": "The requirement for members to use SSH certificates to access an organization resources was enabled.",
+    "docs_reference_links": "/organizations/managing-git-access-to-your-organizations-repositories/managing-your-organizations-ssh-certificate-authorities, /admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-security-settings-in-your-enterprise#managing-ssh-certificate-authorities-for-your-enterprise",
+    "fields": [
+      "actor_id",
+      "user_id",
+      "org",
+      "operation_type",
+      "request_id",
+      "@timestamp",
+      "_document_id",
+      "actor",
+      "user",
+      "action",
+      "org_id",
+      "created_at",
+      "user_agent"
+    ],
+    "docs_reference_titles": "Managing your organization's SSH certificate authorities, Enforcing policies for security settings in your enterprise"
+  },
+  {
+    "action": "staff.dependabot_debug_credentials_generated",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "public_repo"
+    ]
+  },
+  {
+    "action": "staff.set_domain_token_expiration",
+    "description": "The verification code expiry time for an organization or enterprise domain was set.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner_type",
+      "domain_name",
+      "business_id",
+      "token_expires_at",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "staff.unverify_domain",
+    "description": "An organization or enterprise domain was unverified.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "owner_type",
+      "domain_name",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "staff.verify_domain",
+    "description": "An organization or enterprise domain was verified.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "domain_name",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "team.add_member",
+    "description": "A member of an organization was added to a team.",
+    "docs_reference_links": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "org_id",
+      "user_id",
+      "team",
+      "user",
+      "@timestamp",
+      "actor_id",
+      "created_at",
+      "operation_type",
+      "_document_id",
+      "org",
+      "action",
+      "actor",
+      "programmatic_access_type",
+      "team_type"
+    ],
+    "docs_reference_titles": "/organizations/organizing-members-into-teams/adding-organization-members-to-a-team"
+  },
+  {
+    "action": "team.add_repository",
+    "description": "A team was given access and permissions to a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "team",
+      "action",
+      "operation_type",
+      "request_id",
+      "created_at",
+      "@timestamp",
+      "org",
+      "repo",
+      "actor_id",
+      "_document_id",
+      "repo_id",
+      "user_agent",
+      "org_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "team.add_to_organization",
+    "description": "A team was added to an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "team_type",
+      "team",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "team.change_parent_team",
+    "description": "A child team was created or a child team's parent was changed.",
+    "docs_reference_links": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy",
+    "fields": [
+      "org",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "team",
+      "action",
+      "operation_type",
+      "actor",
+      "request_id",
+      "actor_id",
+      "user_agent",
+      "org_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/organizing-members-into-teams/moving-a-team-in-your-organizations-hierarchy"
+  },
+  {
+    "action": "team.change_privacy",
+    "description": "A team's privacy level was changed.",
+    "docs_reference_links": "/organizations/organizing-members-into-teams/changing-team-visibility",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "org",
+      "action",
+      "team",
+      "created_at",
+      "operation_type",
+      "actor_id",
+      "org_id",
+      "@timestamp",
+      "actor",
+      "_document_id",
+      "team_type"
+    ],
+    "docs_reference_titles": "/organizations/organizing-members-into-teams/changing-team-visibility"
+  },
+  {
+    "action": "team.create",
+    "description": "A new team is created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor_id",
+      "oauth_application_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "org_id",
+      "user_agent",
+      "team",
+      "org",
+      "actor",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "team_type"
+    ]
+  },
+  {
+    "action": "team.demote_maintainer",
+    "description": "A user was demoted from a team maintainer to a team member.",
+    "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "team",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes"
+    ],
+    "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member"
+  },
+  {
+    "action": "team.destroy",
+    "description": "A team was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "org",
+      "team",
+      "org_id",
+      "actor_id",
+      "actor",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "operation_type",
+      "_document_id",
+      "programmatic_access_type",
+      "team_type"
+    ]
+  },
+  {
+    "action": "team_discussions.clear",
+    "description": "An organization owner cleared the setting to allow team discussions for an organization or enterprise.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "business_id",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "actor",
+      "actor_id",
+      "user",
+      "business",
+      "action",
+      "request_id",
+      "created_at",
+      "user_id",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "team_discussions.disable",
+    "description": "Team discussions were disabled for an organization.",
+    "docs_reference_links": "/organizations/organizing-members-into-teams/disabling-team-discussions-for-your-organization",
+    "fields": [
+      "org_id",
+      "action",
+      "operation_type",
+      "request_id",
+      "actor",
+      "org",
+      "created_at",
+      "actor_id",
+      "user",
+      "user_id",
+      "@timestamp",
+      "user_agent",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Organizations and teams documentation"
+  },
+  {
+    "action": "team_discussions.enable",
+    "description": "Team discussions were enabled for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "@timestamp",
+      "action",
+      "_document_id",
+      "user_agent",
+      "user_id",
+      "business_id",
+      "request_id",
+      "user",
+      "business",
+      "operation_type",
+      "actor",
+      "created_at"
+    ]
+  },
+  {
+    "action": "team_group_mapping.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "actor",
+      "action",
+      "operation_type",
+      "team",
+      "@timestamp",
+      "actor_id",
+      "org",
+      "_document_id",
+      "org_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "team_group_mapping.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "@timestamp",
+      "actor_id",
+      "_document_id",
+      "team",
+      "created_at",
+      "org_id",
+      "action",
+      "request_id",
+      "user_agent",
+      "actor",
+      "org",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "team_group_mapping.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "team",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "team.promote_maintainer",
+    "description": "A user was promoted from a team member to a team maintainer.",
+    "docs_reference_links": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "team",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/organizing-members-into-teams/assigning-the-team-maintainer-role-to-a-team-member#promoting-an-organization-member-to-team-maintainer"
+  },
+  {
+    "action": "team.remove_from_organization",
+    "description": "A team was removed from an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "team_type",
+      "team",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "team.remove_member",
+    "description": "An organization member was removed from a team.",
+    "docs_reference_links": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team",
+    "fields": [
+      "request_id",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "org",
+      "org_id",
+      "team",
+      "user_id",
+      "actor",
+      "user",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "team_type"
+    ],
+    "docs_reference_titles": "/organizations/organizing-members-into-teams/removing-organization-members-from-a-team"
+  },
+  {
+    "action": "team.remove_repository",
+    "description": "A repository was removed from a team's control.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "org_id",
+      "repo",
+      "repo_id",
+      "action",
+      "_document_id",
+      "actor",
+      "@timestamp",
+      "actor_id",
+      "user_agent",
+      "created_at",
+      "team",
+      "org",
+      "operation_type",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "team.rename",
+    "description": "A team's name was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "name",
+      "user_agent",
+      "created_at",
+      "team",
+      "operation_type",
+      "actor_id",
+      "org",
+      "action",
+      "request_id",
+      "actor",
+      "org_id",
+      "@timestamp",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header",
+      "team_type"
+    ]
+  },
+  {
+    "action": "team_sync_tenant.disabled",
+    "description": "Team synchronization with a tenant was disabled.",
+    "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise",
+    "fields": [
+      "action",
+      "created_at",
+      "actor",
+      "request_id",
+      "org_id",
+      "actor_id",
+      "operation_type",
+      "_document_id",
+      "@timestamp",
+      "org",
+      "user_agent"
+    ],
+    "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise"
+  },
+  {
+    "action": "team_sync_tenant.enabled",
+    "description": "Team synchronization with a tenant was enabled.",
+    "docs_reference_links": "/organizations/managing-saml-single-sign-on-for-your-organization/managing-team-synchronization-for-your-organization, /admin/identity-and-access-management/using-saml-for-enterprise-iam/managing-team-synchronization-for-organizations-in-your-enterprise",
+    "fields": [
+      "org_id",
+      "business_id",
+      "actor",
+      "created_at",
+      "user_agent",
+      "@timestamp",
+      "operation_type",
+      "business",
+      "actor_id",
+      "org",
+      "request_id",
+      "action",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Managing team synchronization for your organization, Managing team synchronization for organizations in your enterprise"
+  },
+  {
+    "action": "team_sync_tenant.update_okta_credentials",
+    "description": "The Okta credentials for team synchronization with a tenant were changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "team.update_repository_permission",
+    "description": "A team's permission to a repository was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "team",
+      "org_id",
+      "@timestamp",
+      "org",
+      "_document_id",
+      "old_permission",
+      "request_id",
+      "repo",
+      "action",
+      "repo_id",
+      "actor",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "permission",
+      "new_repo_permission",
+      "new_repo_base_role",
+      "old_repo_permission",
+      "old_repo_base_role",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "user_content_edit.delete",
+    "description": "Triggered when a user content edit is deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor",
+      "user_content_id",
+      "user_content_type",
+      "created_at",
+      "user_agent",
+      "deleted_by",
+      "editor_id",
+      "_document_id",
+      "deleted_at",
+      "action",
+      "actor_id",
+      "editor",
+      "deleted_by_id",
+      "deleted_content",
+      "operation_type",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.create",
+    "description": "A Dependabot rule was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.delete",
+    "description": "A Dependabot rule was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.disable",
+    "description": "A Dependabot rule was disabled for a single repository or disabled by default for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.enable",
+    "description": "A Dependabot rule was enabled for a single repository or enabled by default for an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.force_disable",
+    "description": "A Dependabot rule was enabled for an organization and cannot be disabled for its repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.force_enable",
+    "description": "A Dependabot rule was disabled for an organization and cannot be enabled for its repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "org",
+      "org_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "vulnerability_alert_rule.update",
+    "description": "A Dependabot rule's conditions, actions, or metadata changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "vulnerability_alert_rule_id",
+      "vulnerability_alert_rule_name",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "workflows.approve_workflow_job",
+    "description": "A workflow job was approved.",
+    "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "workflow_run_id",
+      "run_number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Reviewing deployments"
+  },
+  {
+    "action": "workflows.bypass_protection_rules",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "workflow_run_id",
+      "run_number",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "workflows.cancel_workflow_run",
+    "description": "A workflow run was cancelled.",
+    "docs_reference_links": "/actions/managing-workflow-runs/canceling-a-workflow",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "started_at",
+      "event",
+      "name",
+      "workflow_run_id",
+      "head_branch",
+      "head_sha",
+      "run_number",
+      "cancelled_at",
+      "workflow_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "business",
+      "business_id",
+      "trigger_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Canceling a workflow run"
+  },
+  {
+    "action": "workflows.comment_workflow_job",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "token_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "workflow_run_id",
+      "run_number",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "workflows.completed_workflow_run",
+    "description": "A workflow status changed to completed. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/monitoring-and-troubleshooting-workflows/viewing-workflow-run-history",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "started_at",
+      "event",
+      "name",
+      "workflow_run_id",
+      "head_branch",
+      "head_sha",
+      "completed_at",
+      "conclusion",
+      "run_number",
+      "workflow_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "business",
+      "business_id",
+      "trigger_id",
+      "run_attempt",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Viewing workflow run history"
+  },
+  {
+    "action": "workflows.created_workflow_run",
+    "description": "A workflow run was create. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/learn-github-actions/understanding-github-actions#create-an-example-workflow",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "started_at",
+      "event",
+      "name",
+      "workflow_run_id",
+      "head_branch",
+      "head_sha",
+      "workflow_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "business",
+      "business_id",
+      "trigger_id",
+      "public_repo",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Understanding GitHub Actions"
+  },
+  {
+    "action": "workflows.delete_workflow_run",
+    "description": "A workflow run was deleted.",
+    "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "workflow_run_id",
+      "started_at",
+      "head_branch",
+      "head_sha",
+      "trigger_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Deleting a workflow run"
+  },
+  {
+    "action": "workflows.disable_workflow",
+    "description": "A workflow was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "workflow_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "workflows.enable_workflow",
+    "description": "A workflow was enabled, after previously being disabled by disable_workflow.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "workflow_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "workflows.pin_workflow",
+    "description": "A workflow was pinned.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "workflow_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "workflows.prepared_workflow_job",
+    "description": "A workflow job was started. Includes the list of secrets that were provided to the job. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "docs_reference_links": "/actions/using-workflows/events-that-trigger-workflows",
+    "fields": [
+      "repo_id",
+      "repo",
+      "org_id",
+      "org",
+      "business_id",
+      "business",
+      "workflow_run_id",
+      "job_name",
+      "runner_labels",
+      "is_hosted_runner",
+      "environment_name",
+      "secrets_passed",
+      "action",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "@timestamp",
+      "runner_owner_type",
+      "job_workflow_ref",
+      "calling_workflow_refs",
+      "calling_workflow_shas",
+      "imposer_repo"
+    ],
+    "docs_reference_titles": "Events that trigger workflows"
+  },
+  {
+    "action": "workflows.reject_workflow_job",
+    "description": "A workflow job was rejected.",
+    "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "workflow_run_id",
+      "run_number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Reviewing deployments"
+  },
+  {
+    "action": "workflows.rerun_workflow_run",
+    "description": "A workflow run was re-run.",
+    "docs_reference_links": "/actions/managing-workflow-runs/re-running-workflows-and-jobs",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "started_at",
+      "event",
+      "name",
+      "workflow_run_id",
+      "head_branch",
+      "head_sha",
+      "run_number",
+      "workflow_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "business",
+      "business_id",
+      "trigger_id",
+      "run_attempt",
+      "rerun_type",
+      "check_run_id",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Re-running workflows and jobs"
+  },
+  {
+    "action": "workflows.unpin_workflow",
+    "description": "A workflow was unpinned after previously being pinned.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "workflow_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  }
+]
\ No newline at end of file
diff --git a/src/audit-logs/data/ghes-3.19/user.json b/src/audit-logs/data/ghes-3.19/user.json
new file mode 100644
index 000000000000..8448a7a0dbf8
--- /dev/null
+++ b/src/audit-logs/data/ghes-3.19/user.json
@@ -0,0 +1,9055 @@
+[
+  {
+    "action": "account.billing_date_change",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org",
+      "@timestamp",
+      "operation_type",
+      "user_agent",
+      "_document_id",
+      "created_at",
+      "action",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org_id"
+    ]
+  },
+  {
+    "action": "account.plan_change",
+    "description": "The account's plan changed.",
+    "docs_reference_links": "/billing/managing-the-plan-for-your-github-account/about-billing-for-plans",
+    "fields": [
+      "actor",
+      "operation_type",
+      "_document_id",
+      "user_agent",
+      "created_at",
+      "actor_id",
+      "request_id",
+      "@timestamp",
+      "user",
+      "action",
+      "user_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "How GitHub billing works"
+  },
+  {
+    "action": "account_recovery_token.confirm",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "action",
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "created_at",
+      "_document_id",
+      "token_id",
+      "user_id",
+      "user",
+      "actor",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "account_recovery_token.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "created_at",
+      "token_id",
+      "user",
+      "request_id",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "user_id",
+      "actor_id",
+      "operation_type",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "account_recovery_token.recover",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "@timestamp",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "actor",
+      "user_agent",
+      "request_id",
+      "action",
+      "_document_id",
+      "user_id",
+      "token_id"
+    ]
+  },
+  {
+    "action": "actions_cache.delete",
+    "description": "A GitHub Actions cache was deleted using the REST API.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "user_id",
+      "user",
+      "repo_id",
+      "repo",
+      "org",
+      "org_id",
+      "actions_cache_id",
+      "actions_cache_key",
+      "actions_cache_version",
+      "actions_cache_scope",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "artifact.destroy",
+    "description": "A workflow run artifact was manually deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "actor",
+      "user_agent",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "request_id",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "operation_type",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "billing.budget_create",
+    "description": "A billing budget was created for a business or organization. Includes details about the budget limit, alerting preferences, and recipients.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "pricing_target_type",
+      "pricing_target_id",
+      "budget_limit_type",
+      "alert_recipient_user_ids"
+    ]
+  },
+  {
+    "action": "billing.budget_delete",
+    "description": "A billing budget was deleted for a business or organization. Includes details about the removed budget and any alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "uuid",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "billing.budget_update",
+    "description": "A billing budget was updated for a business or organization. Includes details about the updated limit and alerting settings.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "customer_id",
+      "target_amount",
+      "target_type",
+      "target_id",
+      "alert_enabled",
+      "status",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header",
+      "old_target_amount",
+      "old_budget_limit_type",
+      "old_alert_enabled",
+      "old_target_id"
+    ]
+  },
+  {
+    "action": "billing.change_billing_type",
+    "description": "The way the account pays for GitHub was changed.",
+    "docs_reference_links": "/billing/managing-your-github-billing-settings/adding-or-editing-a-payment-method",
+    "fields": [
+      "actor_id",
+      "user",
+      "@timestamp",
+      "actor",
+      "user_id",
+      "action",
+      "created_at",
+      "operation_type",
+      "_document_id",
+      "user_agent",
+      "request_id"
+    ],
+    "docs_reference_titles": "Managing your payment and billing information"
+  },
+  {
+    "action": "billing.change_email",
+    "description": "The billing email address changed.",
+    "docs_reference_links": "/billing/managing-your-github-billing-settings/setting-your-billing-email",
+    "fields": [
+      "actor",
+      "operation_type",
+      "actor_id",
+      "org_id",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "created_at",
+      "_document_id",
+      "org",
+      "email",
+      "action",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing your payment and billing information"
+  },
+  {
+    "action": "billing_customer.azure_subscription_linked",
+    "description": "Azure subscription has been linked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "billing_customer.azure_subscription_unlinked",
+    "description": "Azure subscription has been unlinked on this account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "billing.lock",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "oauth_application_id",
+      "@timestamp",
+      "actor_id",
+      "operation_type",
+      "_document_id",
+      "request_id",
+      "actor",
+      "user",
+      "user_id",
+      "user_agent",
+      "created_at",
+      "action"
+    ]
+  },
+  {
+    "action": "billing.unlock",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "user",
+      "operation_type",
+      "user_agent",
+      "created_at",
+      "user_id",
+      "request_id",
+      "actor",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "billing.update_bill_cycle_day",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "business.security_center_export_code_scanning_metrics",
+    "description": "A CSV export was requested on the \"CodeQL pull request alerts\" page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "start_date",
+      "end_date",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "business.security_center_export_coverage",
+    "description": "A CSV export was requested on the \"Coverage\" page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "business.security_center_export_overview_dashboard",
+    "description": "A CSV export was requested on the \"Overview Dashboard\" page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "start_date",
+      "end_date",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "business.security_center_export_risk",
+    "description": "A CSV export was requested on the \"Risk\" page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "business_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "business.set_actions_cache_retention_policy",
+    "description": "The cache retention policy for GitHub Actions was set for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_actions_fork_pr_approvals_policy",
+    "description": "The policy for requiring approvals for workflows from public forks was changed for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "policy",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_actions_private_fork_pr_approvals_policy",
+    "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-private-repositories",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "policy",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_actions_retention_limit",
+    "description": "The retention period for GitHub Actions artifacts and logs was changed for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-artifact-and-log-retention-in-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "limit",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_default_workflow_permissions",
+    "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-workflow-permissions-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_fork_pr_workflows_policy",
+    "description": "The policy for fork pull request workflows was changed for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#enforcing-a-policy-for-fork-pull-requests-in-your-enterprise",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "policy",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "business.set_workflow_permission_can_approve_pr",
+    "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an enterprise.",
+    "docs_reference_links": "/admin/policies/enforcing-policies-for-your-enterprise/enforcing-policies-for-github-actions-in-your-enterprise#preventing-github-actions-from-creating-or-approving-pull-requests",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Enforcing policies for GitHub Actions in your enterprise"
+  },
+  {
+    "action": "checks.auto_trigger_disabled",
+    "description": "Automatic creation of check suites was disabled on a repository in the organization or enterprise.",
+    "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites",
+    "fields": [
+      "visibility",
+      "user_agent",
+      "user",
+      "@timestamp",
+      "repo",
+      "actor_id",
+      "user_id",
+      "action",
+      "created_at",
+      "actor",
+      "operation_type",
+      "request_id",
+      "repo_id",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites"
+  },
+  {
+    "action": "checks.auto_trigger_enabled",
+    "description": "Automatic creation of check suites was enabled on a repository in the organization or enterprise.",
+    "docs_reference_links": "/rest/checks#update-repository-preferences-for-check-suites",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo"
+    ],
+    "docs_reference_titles": "/rest/checks#update-repository-preferences-for-check-suites"
+  },
+  {
+    "action": "checks.delete_logs",
+    "description": "Logs in a check suite were deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "actor",
+      "actor_id",
+      "operation_type",
+      "repo_id",
+      "action",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "codespaces.allow_permissions",
+    "description": "A codespace using custom permissions from its devcontainer.json file was launched.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "origin_repository",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "codespaces.connect",
+    "description": "Credentials for a codespace were refreshed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repository_id",
+      "repository",
+      "pull_request_id",
+      "user_id",
+      "org_id",
+      "owner",
+      "name",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "machine_type",
+      "devcontainer_path"
+    ]
+  },
+  {
+    "action": "codespaces.create",
+    "description": "A codespace was created",
+    "docs_reference_links": "/codespaces/developing-in-codespaces/creating-a-codespace-for-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repository_id",
+      "repository",
+      "pull_request_id",
+      "owner",
+      "name",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "machine_type",
+      "devcontainer_path"
+    ],
+    "docs_reference_titles": "Creating a codespace for a repository"
+  },
+  {
+    "action": "codespaces.destroy",
+    "description": "A user deleted a codespace.",
+    "docs_reference_links": "/codespaces/developing-in-codespaces/deleting-a-codespace",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repository_id",
+      "repository",
+      "pull_request_id",
+      "owner",
+      "name",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Deleting a codespace"
+  },
+  {
+    "action": "codespaces.export_environment",
+    "description": "A codespace was exported to a branch on GitHub.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "owner",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "public_repo"
+    ]
+  },
+  {
+    "action": "codespaces.restore",
+    "description": "A codespace was restored.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "codespaces.start_environment",
+    "description": "A codespace was started.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "org",
+      "owner",
+      "pull_request_id",
+      "machine_type",
+      "user_id",
+      "user",
+      "devcontainer_path",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "codespaces.suspend_environment",
+    "description": "A codespace was stopped.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "codespaces.trusted_repositories_access_update",
+    "description": "A personal account's access and security setting for Codespaces were updated.",
+    "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "business",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Managing access to other repositories within your codespace"
+  },
+  {
+    "action": "copilot.cfb_seat_added",
+    "description": "A Copilot Business or Copilot Enterprise seat was added for a user and they have received access to GitHub Copilot. This can occur as the result of directly assigning a seat for a user, assigning a seat for a team, or setting the organization to allow access for all members.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "token_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_assignment_created",
+    "description": "A Copilot Business or Copilot Enterprise seat assignment was newly created for a user or a team, and seats are being created.",
+    "docs_reference_links": "/copilot/overview-of-github-copilot/about-github-copilot-for-business",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "What is GitHub Copilot?"
+  },
+  {
+    "action": "copilot.cfb_seat_assignment_refreshed",
+    "description": "A seat assignment that was previously pending cancellation was re-assigned and the user will retain access to Copilot.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "token_id",
+      "token_scopes",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_assignment_reused",
+    "description": "A Copilot Business or Copilot Enterprise seat assignment was re-created for a user who already had a seat with no pending cancellation date, and the user will retain access to Copilot.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_assignment_unassigned",
+    "description": "A user or team's Copilot Business or Copilot Enterprise seat assignment was unassigned, and the user(s) will lose access to Copilot at the end of the current billing cycle.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_cancelled",
+    "description": "A user's Copilot Business or Copilot Enterprise seat was canceled, and the user no longer has access to Copilot.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "seat_assignment",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "copilot.cfb_seat_cancelled_by_staff",
+    "description": "A user's Copilot Business or Copilot Enterprise seat was canceled manually by GitHub staff, and the user no longer has access to Copilot.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user_id",
+      "user",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "copilot.swe_agent_repo_disabled",
+    "description": "Specific repositories were disabled from using Copilot coding agent.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "org_id",
+      "owner_type",
+      "actor_id",
+      "owner",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "copilot.swe_agent_repo_enabled",
+    "description": "Specific repositories were enabled to use Copilot coding agent.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "org_id",
+      "owner_type",
+      "owner",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "copilot.swe_agent_repo_enablement_updated",
+    "description": "Copilot coding agent access was updated for the organization's or user's repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "new_access",
+      "old_access",
+      "org_id",
+      "owner_type",
+      "owner",
+      "org",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "custom_hosted_runner.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "runner_group_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "custom_hosted_runner.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "custom_hosted_runner.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "runner_group_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "dependabot_alerts.disable",
+    "description": "Dependabot alerts were disabled for all existing repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories"
+  },
+  {
+    "action": "dependabot_alerts.enable",
+    "description": "Dependabot alerts were enabled for all existing repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-for-all-existing-repositories"
+  },
+  {
+    "action": "dependabot_alerts_new_repos.disable",
+    "description": "Dependabot alerts were disabled for all new repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added"
+  },
+  {
+    "action": "dependabot_alerts_new_repos.enable",
+    "description": "Dependabot alerts were enabled for all new repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization#enabling-or-disabling-a-feature-automatically-when-new-repositories-are-added"
+  },
+  {
+    "action": "dependabot_repository_access.repositories_updated",
+    "description": "The repositories that Dependabot can access were updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "dependabot_security_updates.disable",
+    "description": "Dependabot security updates were disabled for all existing repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization"
+  },
+  {
+    "action": "dependabot_security_updates.enable",
+    "description": "Dependabot security updates were enabled for all existing repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "dependabot_security_updates_new_repos.disable",
+    "description": " Dependabot security updates were disabled for all new repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization"
+  },
+  {
+    "action": "dependabot_security_updates_new_repos.enable",
+    "description": "Dependabot security updates were enabled for all new repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "dependency_graph.disable",
+    "description": "The dependency graph was disabled for all existing repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization"
+  },
+  {
+    "action": "dependency_graph.enable",
+    "description": "The dependency graph was enabled for all existing repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "dependency_graph_new_repos.disable",
+    "description": "The dependency graph was disabled for all new repositories.",
+    "docs_reference_links": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/managing-security-and-analysis-settings-for-your-organization"
+  },
+  {
+    "action": "dependency_graph_new_repos.enable",
+    "description": "The dependency graph was enabled for all new repositories.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "environment.add_protection_rule",
+    "description": "A GitHub Actions deployment protection rule was created via the API.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "environment_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "environment.create_actions_secret",
+    "description": "A secret was created for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "key",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.create_actions_variable",
+    "description": "A variable was created for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "environment_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "environment.delete",
+    "description": "An environment was deleted.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deleting-an-environment",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.remove_actions_secret",
+    "description": "A secret was deleted for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "key",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "public_repo",
+      "token_scopes",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.remove_actions_variable",
+    "description": "A variable was deleted for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "environment_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "environment.remove_protection_rule",
+    "description": "A GitHub Actions deployment protection rule was deleted via the API.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.update_actions_secret",
+    "description": "A secret was updated for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#environment-secrets",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "key",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "environment.update_actions_variable",
+    "description": "A variable was updated for a GitHub Actions environment.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-an-environment",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "environment_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "environment.update_protection_rule",
+    "description": "A GitHub Actions deployment protection rule was updated via the API.",
+    "docs_reference_links": "/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-protection-rules",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "new_value",
+      "approvers_was",
+      "approvers",
+      "programmatic_access_type",
+      "can_admins_bypass",
+      "prevent_self_review"
+    ],
+    "docs_reference_titles": "Managing environments for deployment"
+  },
+  {
+    "action": "gist.create",
+    "description": "A gist was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "user_id",
+      "user",
+      "gist_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "actor_id",
+      "visibility",
+      "action",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "gist.destroy",
+    "description": "A gist was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "gist_id",
+      "visibility",
+      "created_at",
+      "_document_id",
+      "user",
+      "request_id",
+      "operation_type",
+      "actor",
+      "actor_id",
+      "action",
+      "user_agent",
+      "@timestamp",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "gist.visibility_change",
+    "description": "The visibility of a gist was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "actor",
+      "user",
+      "gist_id",
+      "actor_id",
+      "request_id",
+      "visibility",
+      "user_id",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "git_signing_ssh_public_key.create",
+    "description": "An SSH key was added to a user account as a Git commit signing key.",
+    "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "key",
+      "fingerprint",
+      "user_id",
+      "user",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key"
+  },
+  {
+    "action": "git_signing_ssh_public_key.delete",
+    "description": "An SSH key was removed from a user account as a Git commit signing key.",
+    "docs_reference_links": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "key",
+      "fingerprint",
+      "user_id",
+      "explanation",
+      "user",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/authentication/managing-commit-signature-verification/telling-git-about-your-signing-key"
+  },
+  {
+    "action": "github_hosted_runner.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "runner_group_id",
+      "business",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "github_hosted_runner.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "business",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "github_hosted_runner.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "runner_group_id",
+      "business",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "gpg_key.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor_id",
+      "created_at",
+      "user_id",
+      "@timestamp",
+      "user",
+      "operation_type",
+      "_document_id",
+      "actor",
+      "action",
+      "user_agent",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "gpg_key.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "operation_type",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "action",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "@timestamp",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "hook.active_changed",
+    "description": "A hook's active status was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "name",
+      "events",
+      "active",
+      "active_was",
+      "hook_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "hook.config_changed",
+    "description": "A hook's configuration was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "actor",
+      "name",
+      "org",
+      "user_agent",
+      "request_id",
+      "hook_id",
+      "repo",
+      "repo_id",
+      "created_at",
+      "oauth_application_id",
+      "action",
+      "events",
+      "org_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "hook.create",
+    "description": "A new hook was added.",
+    "docs_reference_links": "/get-started/exploring-integrations/about-webhooks",
+    "fields": [
+      "oauth_application",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "repo_id",
+      "request_id",
+      "hook_id",
+      "events",
+      "repo",
+      "@timestamp",
+      "operation_type",
+      "name",
+      "action",
+      "created_at",
+      "org_id",
+      "org",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "About webhooks"
+  },
+  {
+    "action": "hook.destroy",
+    "description": "A hook was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "events",
+      "repo",
+      "created_at",
+      "org",
+      "name",
+      "request_id",
+      "actor_id",
+      "repo_id",
+      "org_id",
+      "action",
+      "operation_type",
+      "oauth_application_id",
+      "user_agent",
+      "hook_id",
+      "@timestamp",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "hook.events_changed",
+    "description": "A hook's configured events were changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "events",
+      "repo",
+      "operation_type",
+      "action",
+      "_document_id",
+      "actor_id",
+      "name",
+      "events_were",
+      "@timestamp",
+      "created_at",
+      "hook_id",
+      "repo_id",
+      "org_id",
+      "org",
+      "user_agent",
+      "request_id",
+      "oauth_application_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "integration.create",
+    "description": "A GitHub App was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "actor",
+      "user_agent",
+      "actor_id",
+      "request_id",
+      "name",
+      "user_id",
+      "_document_id",
+      "integration",
+      "created_at",
+      "programmatic_access_type",
+      "request_access_security_header",
+      "application_client_id"
+    ]
+  },
+  {
+    "action": "integration.destroy",
+    "description": "A GitHub App was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "user_id",
+      "actor_id",
+      "request_id",
+      "@timestamp",
+      "name",
+      "integration",
+      "user",
+      "_document_id",
+      "action",
+      "operation_type",
+      "created_at",
+      "user_agent"
+    ]
+  },
+  {
+    "action": "integration.generate_client_secret",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "integration",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header",
+      "application_client_id"
+    ]
+  },
+  {
+    "action": "integration_installation.create",
+    "description": "A GitHub App was installed.",
+    "docs_reference_links": "/apps/using-github-apps/authorizing-github-apps",
+    "fields": [
+      "operation_type",
+      "@timestamp",
+      "name",
+      "request_id",
+      "repository_selection",
+      "user_id",
+      "action",
+      "user_agent",
+      "user",
+      "created_at",
+      "integration",
+      "_document_id",
+      "programmatic_access_type",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/authorizing-github-apps"
+  },
+  {
+    "action": "integration_installation.destroy",
+    "description": "A GitHub App was uninstalled.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access",
+    "fields": [
+      "@timestamp",
+      "request_id",
+      "actor",
+      "created_at",
+      "_document_id",
+      "repository_selection",
+      "integration",
+      "user_id",
+      "user",
+      "action",
+      "operation_type",
+      "name",
+      "actor_id",
+      "user_agent",
+      "programmatic_access_type",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access"
+  },
+  {
+    "action": "integration_installation.repositories_added",
+    "description": "Repositories were added to a GitHub App.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access",
+    "fields": [
+      "user_id",
+      "repository_selection",
+      "name",
+      "user",
+      "request_id",
+      "integration",
+      "operation_type",
+      "actor_id",
+      "action",
+      "repositories_added",
+      "created_at",
+      "_document_id",
+      "@timestamp",
+      "actor",
+      "user_agent",
+      "token_scopes",
+      "repositories_added_names",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access"
+  },
+  {
+    "action": "integration_installation.repositories_removed",
+    "description": "Repositories were removed from a GitHub App.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access",
+    "fields": [
+      "user",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "repository_selection",
+      "repositories_removed",
+      "integration",
+      "user_id",
+      "created_at",
+      "_document_id",
+      "request_id",
+      "@timestamp",
+      "name",
+      "action",
+      "actor_id",
+      "repositories_removed_names",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#modifying-repository-access"
+  },
+  {
+    "action": "integration_installation.suspend",
+    "description": "A GitHub App was suspended.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "name",
+      "repository_selection",
+      "actor_id",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access"
+  },
+  {
+    "action": "integration_installation.unsuspend",
+    "description": "A GitHub App was unsuspended.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "name",
+      "repository_selection",
+      "actor_id",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/reviewing-and-modifying-installed-github-apps#blocking-access"
+  },
+  {
+    "action": "integration_installation.version_updated",
+    "description": "Permissions for a GitHub App were updated.",
+    "docs_reference_links": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app",
+    "fields": [
+      "integration",
+      "user_id",
+      "user_agent",
+      "name",
+      "user",
+      "operation_type",
+      "actor_id",
+      "action",
+      "_document_id",
+      "request_id",
+      "created_at",
+      "repository_selection",
+      "@timestamp",
+      "actor",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/using-github-apps/approving-updated-permissions-for-a-github-app"
+  },
+  {
+    "action": "integration.manager_added",
+    "description": "A member of an enterprise or organization was added as a GitHub App manager.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization",
+    "fields": [
+      "created_at",
+      "action",
+      "_document_id",
+      "name",
+      "org_id",
+      "manager",
+      "operation_type",
+      "actor",
+      "integration",
+      "org",
+      "@timestamp",
+      "actor_id",
+      "request_id",
+      "user_agent"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#giving-someone-the-ability-to-manage-all-github-apps-owned-by-the-organization"
+  },
+  {
+    "action": "integration.manager_removed",
+    "description": "A member of an enterprise or organization was removed from being a GitHub App manager.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor_id",
+      "org",
+      "operation_type",
+      "integration",
+      "org_id",
+      "_document_id",
+      "action",
+      "actor",
+      "name",
+      "created_at",
+      "manager",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/adding-and-removing-github-app-managers-in-your-organization#removing-a-github-app-managers-permissions-for-the-entire-organization"
+  },
+  {
+    "action": "integration.remove_client_secret",
+    "description": "A client secret for a GitHub App was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "integration.revoke_all_tokens",
+    "description": "All user tokens for a GitHub App were requested to be revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "application_client_id"
+    ]
+  },
+  {
+    "action": "integration.revoke_tokens",
+    "description": "Token(s) for a GitHub App were revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "application_client_id"
+    ]
+  },
+  {
+    "action": "integration.suspend",
+    "description": "A GitHub App was suspended.",
+    "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation"
+  },
+  {
+    "action": "integration.transfer",
+    "description": "Ownership of a GitHub App was transferred to another user or organization.",
+    "docs_reference_links": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app",
+    "fields": [
+      "@timestamp",
+      "user_id",
+      "name",
+      "transfer_to_id",
+      "user",
+      "requester",
+      "action",
+      "requester_id",
+      "actor_id",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "transfer_to",
+      "operation_type",
+      "request_id",
+      "actor",
+      "integration",
+      "transfer_from",
+      "transfer_from_id",
+      "transfer_from_type",
+      "transfer_to_type"
+    ],
+    "docs_reference_titles": "/apps/maintaining-github-apps/transferring-ownership-of-a-github-app"
+  },
+  {
+    "action": "integration.unsuspend",
+    "description": "A GitHub App was unsuspended.",
+    "docs_reference_links": "/apps/maintaining-github-apps/suspending-a-github-app-installation",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "application_client_id"
+    ],
+    "docs_reference_titles": "/apps/maintaining-github-apps/suspending-a-github-app-installation"
+  },
+  {
+    "action": "issue_dependencies.blocked_by_add",
+    "description": "An issue was marked as blocked by another issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocked_by_remove",
+    "description": "The blocked by relationship between an issue and another issue was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "org",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocking_add",
+    "description": "An issue was marked as blocking another issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "issue_dependencies.blocking_remove",
+    "description": "The blocking relationship between an issue and another issue was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "marketplace_agreement_signature.create",
+    "description": "The GitHub Marketplace Developer Agreement was signed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "operation_type",
+      "created_at",
+      "action",
+      "user",
+      "user_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "marketplace_listing.approve",
+    "description": "A listing was approved for inclusion in GitHub Marketplace.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "secondary_category",
+      "actor",
+      "primary_category",
+      "user",
+      "@timestamp",
+      "_document_id",
+      "user_id",
+      "user_agent",
+      "operation_type",
+      "created_at",
+      "request_id",
+      "actor_id",
+      "marketplace_listing",
+      "integration",
+      "action"
+    ]
+  },
+  {
+    "action": "marketplace_listing.change_category",
+    "description": "A category for a listing for an app in GitHub Marketplace was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "primary_category",
+      "user_agent",
+      "request_id",
+      "actor",
+      "marketplace_listing",
+      "@timestamp",
+      "integration",
+      "org_id",
+      "action",
+      "org",
+      "secondary_category",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "marketplace_listing.create",
+    "description": "A listing for an app in GitHub Marketplace was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "primary_category",
+      "_document_id",
+      "user",
+      "created_at",
+      "user_agent",
+      "oauth_application",
+      "action",
+      "request_id",
+      "marketplace_listing",
+      "user_id",
+      "secondary_category",
+      "oauth_application_id",
+      "actor",
+      "actor_id",
+      "operation_type",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "marketplace_listing.delist",
+    "description": "A listing was removed from GitHub Marketplace.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org",
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org_id",
+      "created_at",
+      "secondary_category",
+      "operation_type",
+      "marketplace_listing",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "primary_category",
+      "integration"
+    ]
+  },
+  {
+    "action": "marketplace_listing_plan.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "created_at",
+      "actor",
+      "action",
+      "operation_type",
+      "marketplace_listing",
+      "has_free_trial",
+      "user_agent",
+      "request_id",
+      "actor_id",
+      "yearly_price_in_cents",
+      "description",
+      "bullets",
+      "monthly_price_in_cents",
+      "marketplace_listing_plan",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "marketplace_listing_plan.publish",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "marketplace_listing_plan",
+      "marketplace_listing",
+      "description",
+      "bullets",
+      "has_free_trial",
+      "created_at",
+      "actor_id",
+      "operation_type",
+      "_document_id",
+      "action",
+      "user_agent",
+      "request_id",
+      "actor",
+      "monthly_price_in_cents",
+      "yearly_price_in_cents",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "marketplace_listing_plan.retire",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "marketplace_listing_plan",
+      "_document_id",
+      "request_id",
+      "description",
+      "yearly_price_in_cents",
+      "@timestamp",
+      "created_at",
+      "actor_id",
+      "bullets",
+      "has_free_trial",
+      "marketplace_listing",
+      "user_agent",
+      "monthly_price_in_cents",
+      "action",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "marketplace_listing_plan.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "monthly_price_in_cents",
+      "marketplace_listing",
+      "_document_id",
+      "action",
+      "description",
+      "bullets",
+      "yearly_price_in_cents",
+      "request_id",
+      "actor_id",
+      "has_free_trial",
+      "marketplace_listing_plan",
+      "user_agent",
+      "@timestamp",
+      "operation_type",
+      "actor",
+      "created_at"
+    ]
+  },
+  {
+    "action": "marketplace_listing.redraft",
+    "description": "A listing was sent back to draft state.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "secondary_category",
+      "oauth_application_id",
+      "@timestamp",
+      "action",
+      "user_agent",
+      "user_id",
+      "operation_type",
+      "oauth_application",
+      "actor",
+      "created_at",
+      "marketplace_listing",
+      "request_id",
+      "actor_id",
+      "primary_category",
+      "user"
+    ]
+  },
+  {
+    "action": "marketplace_listing.reject",
+    "description": "A listing was not accepted for inclusion in GitHub Marketplace.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "primary_category",
+      "secondary_category",
+      "marketplace_listing",
+      "oauth_application",
+      "oauth_application_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "merge_queue.pull_request_dequeued",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "public_repo",
+      "repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "merge_queue.pull_request_queue_jump",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "token_id",
+      "token_scopes",
+      "repo_id",
+      "public_repo",
+      "repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "merge_queue.queue_cleared",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "public_repo",
+      "repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "merge_queue.update_settings",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "max_entries_to_build",
+      "min_entries_to_merge",
+      "repo_id",
+      "public_repo",
+      "repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "metered_billing_configuration.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "@timestamp",
+      "_document_id",
+      "user_id",
+      "action",
+      "operation_type",
+      "created_at",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "metered_billing_configuration.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "metered_billing_configuration.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "action",
+      "org",
+      "created_at",
+      "operation_type",
+      "org_id",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "request_id",
+      "actor",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "migration.create",
+    "description": "A migration file was created for transferring data from a source location (such as a GitHub.com organization or a GitHub Enterprise Server instance) to a target GitHub Enterprise Server instance.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "org_id",
+      "_document_id",
+      "org",
+      "repo_id",
+      "action",
+      "actor",
+      "created_at",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "actor_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "oauth_access.create",
+    "description": "An OAuth access token was generated.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, /authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token",
+    "fields": [
+      "_document_id",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "@timestamp",
+      "user",
+      "user_id",
+      "created_at",
+      "action",
+      "actor_id",
+      "request_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header",
+      "oauth_application_name"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps, Managing your personal access tokens"
+  },
+  {
+    "action": "oauth_access.destroy",
+    "description": "An OAuth access token was deleted.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps",
+    "fields": [
+      "@timestamp",
+      "user_agent",
+      "action",
+      "operation_type",
+      "_document_id",
+      "actor",
+      "created_at",
+      "user",
+      "user_id",
+      "request_id",
+      "explanation",
+      "hashed_token",
+      "actor_id",
+      "token_scopes",
+      "oauth_application_name"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authorizing-oauth-apps"
+  },
+  {
+    "action": "oauth_access.regenerate",
+    "description": "An OAuth access token was regenerated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "user_id",
+      "_document_id",
+      "created_at",
+      "@timestamp",
+      "operation_type",
+      "action",
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "oauth_application_name"
+    ]
+  },
+  {
+    "action": "oauth_access.revoke",
+    "description": "An OAuth access token was revoked.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "request_access_security_header",
+      "hashed_token",
+      "token_id",
+      "token_scopes",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "oauth_access.update",
+    "description": "An OAuth access token was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor_id",
+      "actor",
+      "operation_type",
+      "_document_id",
+      "user_id",
+      "created_at",
+      "action",
+      "@timestamp",
+      "user",
+      "user_agent",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "oauth_application.create",
+    "description": "An OAuth application was created.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "org",
+      "created_at",
+      "oauth_application_id",
+      "operation_type",
+      "user_agent",
+      "actor_id",
+      "org_id",
+      "action",
+      "actor",
+      "oauth_application",
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.destroy",
+    "description": "An OAuth application was deleted.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "created_at",
+      "oauth_application_id",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "oauth_application",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "request_id",
+      "action",
+      "user",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.generate_client_secret",
+    "description": "An OAuth application's secret key was generated.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application",
+      "oauth_application_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.remove_client_secret",
+    "description": "An OAuth application's secret key was deleted.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application",
+      "oauth_application_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.reset_secret",
+    "description": "The secret key for an OAuth application was reset.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "user",
+      "user_id",
+      "action",
+      "oauth_application",
+      "operation_type",
+      "request_id",
+      "actor_id",
+      "_document_id",
+      "created_at",
+      "actor",
+      "oauth_application_id",
+      "@timestamp",
+      "user_agent"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.revoke_all_tokens",
+    "description": "All user tokens for an OAuth application were requested to be revoked.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application",
+      "oauth_application_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.revoke_tokens",
+    "description": "Token(s) for an OAuth application were revoked.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "oauth_application_id",
+      "oauth_application",
+      "actor_id",
+      "user_agent",
+      "@timestamp",
+      "request_id",
+      "user_id",
+      "action",
+      "_document_id",
+      "actor",
+      "user",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_application.transfer",
+    "description": "An OAuth application was transferred from one account to another.",
+    "docs_reference_links": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app",
+    "fields": [
+      "actor",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "oauth_application",
+      "actor_id",
+      "oauth_application_id",
+      "@timestamp",
+      "user_id",
+      "_document_id",
+      "request_id",
+      "user",
+      "action"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/building-oauth-apps/authenticating-to-the-rest-api-with-an-oauth-app#registering-your-app"
+  },
+  {
+    "action": "oauth_authorization.create",
+    "description": "An authorization for an OAuth application was created.",
+    "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps",
+    "fields": [
+      "operation_type",
+      "user_agent",
+      "user_id",
+      "actor",
+      "org_id",
+      "_document_id",
+      "request_id",
+      "action",
+      "@timestamp",
+      "created_at",
+      "actor_id",
+      "user",
+      "business",
+      "business_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header",
+      "oauth_application_name"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps"
+  },
+  {
+    "action": "oauth_authorization.destroy",
+    "description": "An authorization for an OAuth application was deleted.",
+    "docs_reference_links": "/apps/using-github-apps/reviewing-your-authorized-integrations",
+    "fields": [
+      "user_agent",
+      "_document_id",
+      "request_id",
+      "operation_type",
+      "@timestamp",
+      "actor",
+      "created_at",
+      "explanation",
+      "user",
+      "user_id",
+      "org_id",
+      "action",
+      "actor_id",
+      "token_scopes",
+      "actor_is_bot",
+      "oauth_application_name"
+    ],
+    "docs_reference_titles": "Reviewing and revoking authorization of GitHub Apps"
+  },
+  {
+    "action": "oauth_authorization.update",
+    "description": "An authorization for an OAuth application was updated.",
+    "docs_reference_links": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps",
+    "fields": [
+      "org_id",
+      "request_id",
+      "user_id",
+      "actor",
+      "actor_id",
+      "user_agent",
+      "@timestamp",
+      "operation_type",
+      "action",
+      "user",
+      "created_at",
+      "_document_id",
+      "actor_is_bot",
+      "request_access_security_header",
+      "oauth_application_name"
+    ],
+    "docs_reference_titles": "/apps/oauth-apps/using-oauth-apps/authorizing-oauth-apps"
+  },
+  {
+    "action": "org.add_member",
+    "description": "A user joined an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "permission",
+      "_document_id",
+      "org",
+      "operation_type",
+      "request_id",
+      "actor",
+      "user",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "org_id",
+      "user_id",
+      "actor_id",
+      "action",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "org.add_outside_collaborator",
+    "description": "An outside collaborator was added to a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "inviter",
+      "org",
+      "org_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "permission",
+      "invitee",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.advanced_security_disabled_for_new_repos",
+    "description": "GitHub Advanced Security was disabled for new repositories in an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "token_scopes"
+    ]
+  },
+  {
+    "action": "org.advanced_security_disabled_on_all_repos",
+    "description": "GitHub Advanced Security was disabled for all repositories in an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes"
+    ]
+  },
+  {
+    "action": "org.advanced_security_enabled_for_new_repos",
+    "description": "GitHub Advanced Security was enabled for new repositories in an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "token_scopes"
+    ]
+  },
+  {
+    "action": "org.advanced_security_enabled_on_all_repos",
+    "description": "GitHub Advanced Security was enabled for all repositories in an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes"
+    ]
+  },
+  {
+    "action": "org.remove_member",
+    "description": "A member was removed from an organization, either manually or due to a two-factor authentication requirement.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "request_id",
+      "actor_id",
+      "user_agent",
+      "actor",
+      "action",
+      "user_id",
+      "@timestamp",
+      "created_at",
+      "user",
+      "operation_type",
+      "org_id",
+      "org",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "org.security_center_export_code_scanning_metrics",
+    "description": "A CSV export was requested on the CodeQL pull request alerts page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "start_date",
+      "end_date",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "org.security_center_export_coverage",
+    "description": "A CSV export was requested on the Coverage page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.security_center_export_overview_dashboard",
+    "description": "A CSV export was requested on the Overview Dashboard page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "start_date",
+      "end_date",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.security_center_export_risk",
+    "description": "A CSV export was requested on the Risk page.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "user",
+      "user_id",
+      "query",
+      "filename",
+      "requested_at",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "org.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/managing-github-actions-settings-for-your-organization"
+  },
+  {
+    "action": "org.set_actions_fork_pr_approvals_policy",
+    "description": "The setting for requiring approvals for workflows from public forks was changed for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "policy",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#requiring-approval-for-workflows-from-public-forks"
+  },
+  {
+    "action": "org.set_actions_private_fork_pr_approvals_policy",
+    "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "policy",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks"
+  },
+  {
+    "action": "org.set_actions_retention_limit",
+    "description": "The retention period for GitHub Actions artifacts and logs in an organization was changed.",
+    "docs_reference_links": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "limit",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-organization"
+  },
+  {
+    "action": "org.set_default_workflow_permissions",
+    "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization"
+  },
+  {
+    "action": "org.set_fork_pr_workflows_policy",
+    "description": "The policy for workflows on private repository forks was changed.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "policy",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#enabling-workflows-for-private-repository-forks"
+  },
+  {
+    "action": "org.set_workflow_permission_can_approve_pr",
+    "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for an organization.",
+    "docs_reference_links": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests"
+  },
+  {
+    "action": "org.update_member",
+    "description": "A person's role was changed from owner to member or member to owner.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "org_id",
+      "created_at",
+      "_document_id",
+      "user",
+      "user_id",
+      "action",
+      "request_id",
+      "actor_id",
+      "old_permission",
+      "permission",
+      "actor",
+      "user_agent",
+      "operation_type",
+      "org"
+    ]
+  },
+  {
+    "action": "org.update_member_repository_creation_permission",
+    "description": "The create repository permission for organization members was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "action",
+      "@timestamp",
+      "request_id",
+      "actor_id",
+      "permission",
+      "created_at",
+      "user_agent",
+      "org",
+      "org_id",
+      "_document_id",
+      "visibility",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "org.update_member_repository_invitation_permission",
+    "description": "An organization owner changed the policy setting for organization members inviting outside collaborators to repositories.",
+    "docs_reference_links": "/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators",
+    "fields": [
+      "actor_id",
+      "permission",
+      "action",
+      "org_id",
+      "actor",
+      "created_at",
+      "_document_id",
+      "business_id",
+      "operation_type",
+      "org",
+      "user_agent",
+      "request_id",
+      "business",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Setting permissions for adding outside collaborators"
+  },
+  {
+    "action": "pages_protected_domain.create",
+    "description": "A GitHub Pages verified domain was created for an organization or enterprise.",
+    "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner",
+      "owner_type",
+      "domain",
+      "state",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages"
+  },
+  {
+    "action": "pages_protected_domain.delete",
+    "description": "A GitHub Pages verified domain was deleted from an organization or enterprise.",
+    "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner",
+      "owner_type",
+      "domain",
+      "state",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages"
+  },
+  {
+    "action": "pages_protected_domain.verify",
+    "description": "A GitHub Pages domain was verified for an organization or enterprise.",
+    "docs_reference_links": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "owner",
+      "owner_type",
+      "domain",
+      "state",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages"
+  },
+  {
+    "action": "passkey.register",
+    "description": "A new passkey was added.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "nickname",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "passkey.remove",
+    "description": "A new passkey was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "nickname",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "payment_method.create",
+    "description": "A new payment method was added, such as a new credit card or PayPal account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "user",
+      "operation_type",
+      "user_id",
+      "_document_id",
+      "action",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "created_at",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "payment_method.remove",
+    "description": "A payment method was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "created_at",
+      "actor_id",
+      "@timestamp",
+      "user_id",
+      "action",
+      "operation_type",
+      "actor",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "payment_method.update",
+    "description": "An existing payment method was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "request_id",
+      "org_id",
+      "created_at",
+      "actor_id",
+      "@timestamp",
+      "action",
+      "actor",
+      "org",
+      "user_agent",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "personal_access_token.access_granted",
+    "description": "A fine-grained personal access token was granted access to resources.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_id",
+      "user_programmatic_access_name",
+      "repository_selection",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization"
+  },
+  {
+    "action": "personal_access_token.access_revoked",
+    "description": "A fine-grained personal access token was revoked. The token can still read public organization resources.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_id",
+      "user_programmatic_access_name",
+      "repository_selection",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization"
+  },
+  {
+    "action": "personal_access_token.create",
+    "description": "Triggered when you create a fine-grained personal access token.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_name",
+      "user",
+      "user_id",
+      "repository_selection",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "personal_access_token.credential_regenerated",
+    "description": "Triggered when you regenerate a fine-grained personal access token.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_name",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "personal_access_token.credential_revoked",
+    "description": "A fine-grained personal access token was revoked by GitHub Advanced Security.",
+    "docs_reference_links": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users",
+    "fields": [
+      "user_programmatic_access_name",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/code-security/getting-started/github-security-features#secret-scanning-alerts-for-users"
+  },
+  {
+    "action": "personal_access_token.destroy",
+    "description": "Triggered when you delete a fine-grained personal access token.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_name",
+      "user",
+      "user_id",
+      "explanation",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "personal_access_token.request_cancelled",
+    "description": "A pending request for a fine-grained personal access token to access organization resources was canceled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_name",
+      "org",
+      "org_id",
+      "repository_selection",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "user_programmatic_access_request_id"
+    ]
+  },
+  {
+    "action": "personal_access_token.request_created",
+    "description": "Triggered when a fine-grained personal access token was created to access organization resources and the organization requires approval before the token can access organization resources.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_id",
+      "user_programmatic_access_name",
+      "user",
+      "user_id",
+      "repository_selection",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "user_programmatic_access_request_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization"
+  },
+  {
+    "action": "personal_access_token.request_denied",
+    "description": "A request for a fine-grained personal access token to access organization resources was denied.",
+    "docs_reference_links": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user_programmatic_access_name",
+      "org",
+      "org_id",
+      "repository_selection",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "user_programmatic_access_request_id"
+    ],
+    "docs_reference_titles": "/organizations/managing-programmatic-access-to-your-organization/managing-requests-for-personal-access-tokens-in-your-organization"
+  },
+  {
+    "action": "personal_access_token.update",
+    "description": "A fine-grained personal access token was updated.",
+    "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_programmatic_access_name",
+      "user",
+      "user_id",
+      "repository_selection",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#fine-grained-personal-access-tokens"
+  },
+  {
+    "action": "premium_runner.create",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "runner_group_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "premium_runner.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "premium_runner.update",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "name",
+      "runner_group_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "private_vulnerability_reporting.disable",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "private_vulnerability_reporting.enable",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "private_vulnerability_reporting_new_repos.disable",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "private_vulnerability_reporting_new_repos.enable",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "profile_picture.update",
+    "description": "A profile picture was updated.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile",
+    "fields": [
+      "user",
+      "actor_id",
+      "user_id",
+      "@timestamp",
+      "created_at",
+      "owner",
+      "action",
+      "_document_id",
+      "request_id",
+      "user_agent",
+      "actor",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Personalize your profile"
+  },
+  {
+    "action": "project.access",
+    "description": "A project board visibility was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "actor",
+      "user_agent",
+      "operation_type",
+      "user",
+      "created_at",
+      "user_id",
+      "action",
+      "request_id",
+      "_document_id",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "project.close",
+    "description": "A project board was closed.",
+    "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/closing-a-project-board",
+    "fields": [
+      "org_id",
+      "user_agent",
+      "request_id",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "repo_id",
+      "org",
+      "_document_id",
+      "project_id",
+      "action",
+      "actor",
+      "actor_id",
+      "repo",
+      "project_kind"
+    ],
+    "docs_reference_titles": "Closing a project (classic)"
+  },
+  {
+    "action": "project_collaborator.add",
+    "description": "A collaborator was added to a project.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "collaborator_type",
+      "org",
+      "org_id",
+      "collaborator",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "public_project",
+      "project_name",
+      "project_role",
+      "old_project_role",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "project_collaborator.remove",
+    "description": "A collaborator was removed from a project.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "collaborator_type",
+      "user",
+      "user_id",
+      "collaborator",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "project_collaborator.update",
+    "description": "A project collaborator's permission level was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "public_project",
+      "project_name",
+      "collaborator_type",
+      "project_role",
+      "old_project_role",
+      "project_id",
+      "user",
+      "user_id",
+      "collaborator",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "project.create",
+    "description": "A project board was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "user",
+      "_document_id",
+      "request_id",
+      "user_id",
+      "user_agent",
+      "@timestamp",
+      "actor_id",
+      "action",
+      "created_at",
+      "actor"
+    ]
+  },
+  {
+    "action": "project.delete",
+    "description": "A project board was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "action",
+      "actor_id",
+      "operation_type",
+      "actor",
+      "user_id",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "user"
+    ]
+  },
+  {
+    "action": "project_field.create",
+    "description": "A field was created in a project board.",
+    "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields"
+  },
+  {
+    "action": "project_field.delete",
+    "description": "A field was deleted in a project board.",
+    "docs_reference_links": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/issues/planning-and-tracking-with-projects/understanding-fields/deleting-custom-fields"
+  },
+  {
+    "action": "project.link",
+    "description": "A repository was linked to a project board.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo_id",
+      "action",
+      "actor_id",
+      "org_id",
+      "user_agent",
+      "request_id",
+      "actor",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "created_at",
+      "org",
+      "repo"
+    ]
+  },
+  {
+    "action": "project.open",
+    "description": "A project board was reopened.",
+    "docs_reference_links": "/issues/organizing-your-work-with-project-boards/managing-project-boards/reopening-a-closed-project-board",
+    "fields": [
+      "actor",
+      "request_id",
+      "actor_id",
+      "action",
+      "user_id",
+      "project_id",
+      "_document_id",
+      "user_agent",
+      "operation_type",
+      "user",
+      "@timestamp",
+      "created_at",
+      "project_kind",
+      "project_name"
+    ],
+    "docs_reference_titles": "Reopening a closed project (classic)"
+  },
+  {
+    "action": "project.rename",
+    "description": "A project board was renamed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "created_at",
+      "request_id",
+      "actor_id",
+      "old_name",
+      "operation_type",
+      "@timestamp",
+      "repo",
+      "_document_id",
+      "user_agent",
+      "org_id",
+      "business_id",
+      "actor",
+      "repo_id",
+      "org",
+      "business"
+    ]
+  },
+  {
+    "action": "project.unlink",
+    "description": "A repository was unlinked from a project board.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "repo_id",
+      "operation_type",
+      "actor",
+      "action",
+      "created_at",
+      "actor_id",
+      "_document_id",
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "org",
+      "org_id"
+    ]
+  },
+  {
+    "action": "project.update_org_permission",
+    "description": "The project's base-level permission for all organization members was changed or removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "org",
+      "@timestamp",
+      "_document_id",
+      "operation_type",
+      "created_at",
+      "request_id",
+      "actor_id",
+      "action",
+      "org_id",
+      "user_agent"
+    ]
+  },
+  {
+    "action": "project.update_team_permission",
+    "description": "A team's project board permission level was changed or when a team was added or removed from a project board.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "org_id",
+      "operation_type",
+      "org",
+      "actor_id",
+      "_document_id",
+      "request_id",
+      "team",
+      "@timestamp",
+      "action",
+      "user_agent",
+      "actor"
+    ]
+  },
+  {
+    "action": "project.update_user_permission",
+    "description": "A user was added to or removed from a project board or had their permission level changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "actor_id",
+      "user",
+      "user_agent",
+      "actor",
+      "created_at",
+      "org",
+      "_document_id",
+      "org_id",
+      "action",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "project_view.create",
+    "description": "A view was created in a project board.",
+    "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views"
+  },
+  {
+    "action": "project_view.delete",
+    "description": "A view was deleted in a project board.",
+    "docs_reference_links": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/issues/planning-and-tracking-with-projects/customizing-views-in-your-project/managing-your-views"
+  },
+  {
+    "action": "project.visibility_private",
+    "description": "A project's visibility was changed from public to private.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "project_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "project_kind",
+      "project_name"
+    ]
+  },
+  {
+    "action": "project.visibility_public",
+    "description": "A project's visibility was changed from private to public.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "project_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "project_kind",
+      "project_name",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "protected_branch.update_merge_queue_enforcement_level",
+    "description": "Enforcement of the merge queue was modified for a branch.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "merge_queue_enforcement_level",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches#require-merge-queue"
+  },
+  {
+    "action": "public_key.create",
+    "description": "An SSH key was added to a user account or a deploy key was added to a repository.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account",
+    "fields": [
+      "read_only",
+      "user_agent",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "_document_id",
+      "key",
+      "fingerprint",
+      "actor",
+      "action",
+      "user",
+      "user_id",
+      "@timestamp",
+      "request_id",
+      "title",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account"
+  },
+  {
+    "action": "public_key.delete",
+    "description": "An SSH key was removed from a user account or a deploy key was removed from a repository.",
+    "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys",
+    "fields": [
+      "fingerprint",
+      "user_agent",
+      "read_only",
+      "explanation",
+      "repo",
+      "@timestamp",
+      "action",
+      "key",
+      "operation_type",
+      "_document_id",
+      "actor",
+      "title",
+      "request_id",
+      "actor_id",
+      "repo_id",
+      "created_at",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/reviewing-your-ssh-keys"
+  },
+  {
+    "action": "public_key.unverification_failure",
+    "description": "A user account's SSH key or a repository's deploy key was unable to be unverified.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "title",
+      "key",
+      "fingerprint",
+      "read_only",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "token_scopes"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys"
+  },
+  {
+    "action": "public_key.unverify",
+    "description": "A user account's SSH key or a repository's deploy key was unverified.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys",
+    "fields": [
+      "created_at",
+      "operation_type",
+      "_document_id",
+      "title",
+      "request_id",
+      "key",
+      "action",
+      "actor",
+      "read_only",
+      "explanation",
+      "repo_id",
+      "@timestamp",
+      "actor_id",
+      "repo",
+      "user_agent",
+      "fingerprint"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys"
+  },
+  {
+    "action": "public_key.update",
+    "description": "A user account's SSH key or a repository's deploy key was updated.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys",
+    "fields": [
+      "actor",
+      "user_agent",
+      "key",
+      "fingerprint",
+      "read_only",
+      "repo_id",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "repo",
+      "action",
+      "_document_id",
+      "request_id",
+      "title",
+      "@timestamp",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys"
+  },
+  {
+    "action": "public_key.verification_failure",
+    "description": "A user account's SSH key or a repository's deploy key was unable to be verified.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys",
+    "fields": [
+      "repo_id",
+      "actor",
+      "key",
+      "fingerprint",
+      "@timestamp",
+      "request_id",
+      "actor_id",
+      "oauth_application_id",
+      "title",
+      "action",
+      "user_agent",
+      "created_at",
+      "repo",
+      "read_only",
+      "operation_type",
+      "_document_id",
+      "user",
+      "user_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys"
+  },
+  {
+    "action": "public_key.verify",
+    "description": "A user account's SSH key or a repository's deploy key was verified.",
+    "docs_reference_links": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys",
+    "fields": [
+      "operation_type",
+      "user",
+      "@timestamp",
+      "_document_id",
+      "action",
+      "created_at",
+      "key",
+      "fingerprint",
+      "actor_id",
+      "actor",
+      "title",
+      "user_agent",
+      "user_id",
+      "request_id",
+      "read_only",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/authentication/connecting-to-github-with-ssh/managing-deploy-keys#deploy-keys"
+  },
+  {
+    "action": "repo.access",
+    "description": "The visibility of a repository changed.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility",
+    "fields": [
+      "repo_id",
+      "user",
+      "request_id",
+      "operation_type",
+      "@timestamp",
+      "actor_id",
+      "user_id",
+      "created_at",
+      "user_agent",
+      "actor",
+      "action",
+      "repo",
+      "visibility",
+      "_document_id",
+      "previous_visibility",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/setting-repository-visibility"
+  },
+  {
+    "action": "repo.actions_enabled",
+    "description": "GitHub Actions was enabled for a repository.",
+    "docs_reference_links": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#using-the-audit-log-api"
+  },
+  {
+    "action": "repo.add_member",
+    "description": "A collaborator was added to a repository.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/inviting-collaborators-to-a-personal-repository",
+    "fields": [
+      "visibility",
+      "repo",
+      "created_at",
+      "user_agent",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "repo_id",
+      "user",
+      "request_id",
+      "action",
+      "user_id",
+      "oauth_application_id",
+      "org",
+      "org_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Inviting collaborators to a personal repository"
+  },
+  {
+    "action": "repo.add_topic",
+    "description": "A topic was added to a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics",
+    "fields": [
+      "action",
+      "user_agent",
+      "actor",
+      "repo",
+      "repo_id",
+      "user",
+      "org",
+      "org_id",
+      "request_id",
+      "actor_id",
+      "topic",
+      "@timestamp",
+      "_document_id",
+      "user_id",
+      "created_at",
+      "operation_type",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/classifying-your-repository-with-topics"
+  },
+  {
+    "action": "repo.advanced_security_disabled",
+    "description": "GitHub Advanced Security was disabled for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "repository",
+      "repository_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository"
+  },
+  {
+    "action": "repo.advanced_security_enabled",
+    "description": "GitHub Advanced Security was enabled for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "repository",
+      "repository_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository"
+  },
+  {
+    "action": "repo.archived",
+    "description": "A repository was archived.",
+    "docs_reference_links": "/repositories/archiving-a-github-repository",
+    "fields": [
+      "repo_id",
+      "user_agent",
+      "user_id",
+      "created_at",
+      "@timestamp",
+      "repo",
+      "user",
+      "operation_type",
+      "visibility",
+      "action",
+      "actor_id",
+      "actor",
+      "_document_id",
+      "request_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/archiving-a-github-repository"
+  },
+  {
+    "action": "repo.change_merge_setting",
+    "description": "Pull request merge options were changed for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "oauth_application_id",
+      "user_agent",
+      "request_id",
+      "created_at",
+      "@timestamp",
+      "_document_id",
+      "actor_id",
+      "operation_type",
+      "action",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repo.code_scanning_analysis_deleted",
+    "description": "Code scanning analysis for a repository was deleted.",
+    "docs_reference_links": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "tool",
+      "category",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/rest/code-scanning#delete-a-code-scanning-analysis-from-a-repository"
+  },
+  {
+    "action": "repo.code_scanning_configuration_for_branch_deleted",
+    "description": "A code scanning configuration for a branch of a repository was deleted.",
+    "docs_reference_links": "/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#removing-stale-configurations-and-alerts-from-a-branch",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "tool",
+      "branch",
+      "category",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Resolving code scanning alerts"
+  },
+  {
+    "action": "repo.config.disable_collaborators_only",
+    "description": "The interaction limit for collaborators only was disabled.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "user_agent",
+      "actor",
+      "actor_id",
+      "repo_id",
+      "_document_id",
+      "action",
+      "created_at",
+      "repo",
+      "operation_type",
+      "@timestamp",
+      "request_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.config.disable_contributors_only",
+    "description": "The interaction limit for prior contributors only was disabled in a repository.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "repo",
+      "@timestamp",
+      "request_id",
+      "actor",
+      "_document_id",
+      "user_agent",
+      "actor_id",
+      "repo_id",
+      "action",
+      "operation_type",
+      "created_at"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.config.disable_sockpuppet_disallowed",
+    "description": "The interaction limit for existing users only was disabled in a repository.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "actor",
+      "request_id",
+      "repo_id",
+      "action",
+      "user_agent",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "actor_id",
+      "repo",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.config.enable_collaborators_only",
+    "description": "The interaction limit for collaborators only was enabled in a repository  Users that are not collaborators or organization members were unable to interact with a repository for a set duration.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "actor",
+      "oauth_application_id",
+      "created_at",
+      "action",
+      "request_id",
+      "repo_id",
+      "repo",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "actor_id",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.config.enable_contributors_only",
+    "description": "The interaction limit for prior contributors only was enabled in a repository  Users that are not prior contributors, collaborators or organization members were unable to interact with a repository for a set duration.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "operation_type",
+      "created_at",
+      "actor",
+      "org",
+      "action",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "org_id",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.config.enable_sockpuppet_disallowed",
+    "description": "The interaction limit for existing users was enabled in a repository  New users aren't able to interact with a repository for a set duration  Existing users of the repository, contributors, collaborators or organization members are able to interact with a repository.",
+    "docs_reference_links": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository",
+    "fields": [
+      "actor",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "request_id",
+      "action",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository"
+  },
+  {
+    "action": "repo.configure_self_hosted_jit_runner",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "token_id",
+      "token_scopes",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.create",
+    "description": "A repository was created.",
+    "docs_reference_links": "/repositories/creating-and-managing-repositories/creating-a-new-repository",
+    "fields": [
+      "repo",
+      "user_id",
+      "visibility",
+      "repo_id",
+      "user",
+      "request_id",
+      "actor_id",
+      "action",
+      "operation_type",
+      "request_category",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "actor",
+      "user_agent",
+      "org",
+      "oauth_application_id",
+      "org_id",
+      "request_method",
+      "business",
+      "business_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/creating-and-managing-repositories/creating-a-new-repository"
+  },
+  {
+    "action": "repo.create_actions_secret",
+    "description": "A GitHub Actions secret was created for a repository.",
+    "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "repo",
+      "repo_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Using secrets in GitHub Actions"
+  },
+  {
+    "action": "repo.create_actions_variable",
+    "description": "A GitHub Actions variable was created for a repository.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "repo.create_integration_secret",
+    "description": "A Codespaces or Dependabot secret was created for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "visibility",
+      "integration",
+      "repo",
+      "repo_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.destroy",
+    "description": "A repository was deleted.",
+    "docs_reference_links": "/repositories/creating-and-managing-repositories/deleting-a-repository",
+    "fields": [
+      "repo",
+      "_document_id",
+      "user_agent",
+      "user_id",
+      "actor",
+      "action",
+      "user",
+      "repo_id",
+      "operation_type",
+      "request_category",
+      "actor_id",
+      "visibility",
+      "request_id",
+      "created_at",
+      "@timestamp",
+      "request_method",
+      "oauth_application_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/creating-and-managing-repositories/deleting-a-repository"
+  },
+  {
+    "action": "repo.pages_cname",
+    "description": "A GitHub Pages custom domain was modified in a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "@timestamp",
+      "visibility",
+      "repo",
+      "repo_id",
+      "user",
+      "request_id",
+      "actor_id",
+      "cname",
+      "user_agent",
+      "user_id",
+      "created_at",
+      "_document_id",
+      "action",
+      "operation_type",
+      "old_cname",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repo.pages_create",
+    "description": "A GitHub Pages site was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "user",
+      "_document_id",
+      "user_id",
+      "visibility",
+      "action",
+      "user_agent",
+      "operation_type",
+      "repo_id",
+      "created_at",
+      "@timestamp",
+      "request_id",
+      "actor",
+      "repo",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repo.pages_destroy",
+    "description": "A GitHub Pages site was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "user_id",
+      "action",
+      "request_id",
+      "user",
+      "repo",
+      "user_agent",
+      "_document_id",
+      "actor_id",
+      "@timestamp",
+      "actor",
+      "visibility",
+      "operation_type",
+      "repo_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repo.pages_https_redirect_disabled",
+    "description": "HTTPS redirects were disabled for a GitHub Pages site.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "actor_id",
+      "repo_id",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "visibility",
+      "user_id",
+      "request_id",
+      "repo",
+      "@timestamp",
+      "operation_type",
+      "action",
+      "created_at",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.pages_https_redirect_enabled",
+    "description": "HTTPS redirects were enabled for a GitHub Pages site.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "user_id",
+      "created_at",
+      "visibility",
+      "actor",
+      "actor_id",
+      "user",
+      "operation_type",
+      "repo_id",
+      "action",
+      "repo",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.pages_private",
+    "description": "A GitHub Pages site visibility was changed to private.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "repo.pages_public",
+    "description": "A GitHub Pages site visibility was changed to public.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.pages_soft_delete",
+    "description": "A GitHub Pages site was soft-deleted because its owner's plan changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.pages_soft_delete_restore",
+    "description": "A GitHub Pages site that was previously soft-deleted was restored.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.pages_source",
+    "description": "A GitHub Pages source was modified.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "actor_id",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "@timestamp",
+      "repo_id",
+      "user",
+      "_document_id",
+      "request_id",
+      "visibility",
+      "repo",
+      "created_at",
+      "action",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repo.register_self_hosted_runner",
+    "description": "A new self-hosted runner was registered.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners#adding-a-self-hosted-runner-to-a-repository",
+    "fields": [
+      "actor_id",
+      "repo",
+      "operation_type",
+      "action",
+      "@timestamp",
+      "actor",
+      "user_agent",
+      "created_at",
+      "_document_id",
+      "request_id",
+      "repo_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Adding self-hosted runners"
+  },
+  {
+    "action": "repo.remove_actions_secret",
+    "description": "A GitHub Actions secret was deleted for a repository.",
+    "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Using secrets in GitHub Actions"
+  },
+  {
+    "action": "repo.remove_actions_variable",
+    "description": "A GitHub Actions variable was deleted for a repository.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "repo.remove_integration_secret",
+    "description": "A Codespaces or Dependabot secret was deleted for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "integration",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.remove_member",
+    "description": "A collaborator was removed from a repository.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/removing-a-collaborator-from-a-personal-repository",
+    "fields": [
+      "request_id",
+      "user",
+      "business",
+      "action",
+      "actor_id",
+      "org",
+      "org_id",
+      "actor",
+      "created_at",
+      "repo_id",
+      "user_agent",
+      "business_id",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "visibility",
+      "repo",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Removing a collaborator from a personal repository"
+  },
+  {
+    "action": "repo.remove_self_hosted_runner",
+    "description": "A self-hosted runner was removed.",
+    "docs_reference_links": "/actions/hosting-your-own-runners/managing-self-hosted-runners/removing-self-hosted-runners#removing-a-runner-from-a-repository",
+    "fields": [
+      "request_id",
+      "actor_id",
+      "repo_id",
+      "@timestamp",
+      "_document_id",
+      "repo",
+      "org_id",
+      "action",
+      "operation_type",
+      "user_agent",
+      "actor",
+      "created_at",
+      "org",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Removing self-hosted runners"
+  },
+  {
+    "action": "repo.remove_topic",
+    "description": "A topic was removed from a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "action",
+      "repo_id",
+      "user_agent",
+      "topic",
+      "operation_type",
+      "user_id",
+      "org",
+      "org_id",
+      "actor",
+      "business",
+      "request_id",
+      "repo",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "actor_id",
+      "business_id",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repo.rename",
+    "description": "A repository was renamed.",
+    "docs_reference_links": "/repositories/creating-and-managing-repositories/renaming-a-repository",
+    "fields": [
+      "user_agent",
+      "@timestamp",
+      "request_id",
+      "actor_id",
+      "actor",
+      "old_name",
+      "repo",
+      "user_id",
+      "created_at",
+      "user",
+      "action",
+      "operation_type",
+      "visibility",
+      "repo_id",
+      "_document_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/creating-and-managing-repositories/renaming-a-repository"
+  },
+  {
+    "action": "repo.restore",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "action",
+      "_document_id",
+      "actor_id",
+      "user",
+      "operation_type",
+      "user_agent",
+      "request_id",
+      "repo_id",
+      "@timestamp",
+      "created_at",
+      "actor",
+      "user_id"
+    ]
+  },
+  {
+    "action": "repo.set_actions_cache_retention_policy",
+    "description": "The cache retention policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
+  {
+    "action": "repo.set_actions_cache_storage_policy",
+    "description": "The cache storage policy for GitHub Actions was set for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository"
+  },
+  {
+    "action": "repo.set_actions_fork_pr_approvals_policy",
+    "description": "The setting for requiring approvals for workflows from public forks was changed for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "policy",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "public_repo"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-required-approval-for-workflows-from-public-forks"
+  },
+  {
+    "action": "repo.set_actions_private_fork_pr_approvals_policy",
+    "description": "The policy for requiring approval for fork pull request workflows from collaborators without write access to private repos was changed for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "visibility",
+      "policy",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-forks-of-private-repositories"
+  },
+  {
+    "action": "repo.set_actions_retention_limit",
+    "description": "The retention period for GitHub Actions artifacts and logs in a repository was changed.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "limit",
+      "repo",
+      "repo_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-retention-period-for-github-actions-artifacts-and-logs-in-your-repository"
+  },
+  {
+    "action": "repo.set_default_workflow_permissions",
+    "description": "The default permissions granted to the GITHUB_TOKEN when running workflows were changed for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository"
+  },
+  {
+    "action": "repo.set_fork_pr_workflows_policy",
+    "description": "Triggered when the policy for workflows on private repository forks is changed.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "policy",
+      "repo",
+      "repo_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#enabling-workflows-for-private-repository-forks"
+  },
+  {
+    "action": "repo.set_workflow_permission_can_approve_pr",
+    "description": "The policy for allowing GitHub Actions to create and approve pull requests was changed for a repository.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests"
+  },
+  {
+    "action": "repo.staff_unlock",
+    "description": "An enterprise owner or GitHub staff (with permission from a repository administrator) temporarily unlocked the repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "actor_id",
+      "created_at",
+      "actor",
+      "repo_id",
+      "action",
+      "org",
+      "org_id",
+      "request_id",
+      "repo",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "repo.temporary_access_granted",
+    "description": "Temporary access was enabled for a repository.",
+    "docs_reference_links": "/admin/user-management/managing-repositories-in-your-enterprise/accessing-user-owned-repositories-in-your-enterprise",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ],
+    "docs_reference_titles": "Accessing user-owned repositories in your enterprise"
+  },
+  {
+    "action": "repo.transfer",
+    "description": "A user accepted a request to receive a transferred repository.",
+    "docs_reference_links": "/repositories/creating-and-managing-repositories/transferring-a-repository",
+    "fields": [
+      "@timestamp",
+      "user_id",
+      "_document_id",
+      "request_id",
+      "actor_id",
+      "repo_id",
+      "owner",
+      "user",
+      "old_user",
+      "action",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "repo",
+      "visibility",
+      "repo_was",
+      "actor"
+    ],
+    "docs_reference_titles": "/repositories/creating-and-managing-repositories/transferring-a-repository"
+  },
+  {
+    "action": "repo.transfer_outgoing",
+    "description": "A repository was transferred to another repository network.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "new_nwo",
+      "visibility",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "public_repo",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.transfer_start",
+    "description": "A user sent a request to transfer a repository to another user or organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "_document_id",
+      "operation_type",
+      "user_id",
+      "request_id",
+      "user",
+      "action",
+      "user_agent",
+      "created_at",
+      "actor",
+      "visibility",
+      "repo_id",
+      "actor_id",
+      "repo",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.unarchived",
+    "description": "A repository was unarchived.",
+    "docs_reference_links": "/repositories/archiving-a-github-repository",
+    "fields": [
+      "actor",
+      "request_id",
+      "actor_id",
+      "repo",
+      "operation_type",
+      "created_at",
+      "_document_id",
+      "repo_id",
+      "user",
+      "@timestamp",
+      "visibility",
+      "user_agent",
+      "user_id",
+      "action",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "/repositories/archiving-a-github-repository"
+  },
+  {
+    "action": "repo.update_actions_access_settings",
+    "description": "The setting to control how a repository was used by GitHub Actions workflows in other repositories was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "policy",
+      "old_policy",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id"
+    ]
+  },
+  {
+    "action": "repo.update_actions_secret",
+    "description": "A GitHub Actions secret was updated for a repository.",
+    "docs_reference_links": "/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "oauth_application_id",
+      "key",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "business",
+      "business_id",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Using secrets in GitHub Actions"
+  },
+  {
+    "action": "repo.update_actions_settings",
+    "description": "A repository administrator changed GitHub Actions policy settings for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "new_policy",
+      "old_policy",
+      "updated_access_policy",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repo.update_actions_variable",
+    "description": "A GitHub Actions variable was updated for a repository.",
+    "docs_reference_links": "/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Store information in variables"
+  },
+  {
+    "action": "repo.update_default_branch",
+    "description": "The default branch for a repository was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "visibility",
+      "repo",
+      "repo_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repo.update_integration_secret",
+    "description": "A Codespaces or Dependabot secret was updated for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "key",
+      "visibility",
+      "integration",
+      "repo",
+      "repo_id",
+      "org",
+      "org_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repo.update_member",
+    "description": "A user's permission to a repository was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "action",
+      "_document_id",
+      "actor",
+      "repo_id",
+      "created_at",
+      "oauth_application_id",
+      "user",
+      "@timestamp",
+      "repo",
+      "operation_type",
+      "request_id",
+      "org_id",
+      "actor_id",
+      "visibility",
+      "old_permission",
+      "org",
+      "user_id",
+      "old_base_role",
+      "old_repo_permission",
+      "old_repo_base_role",
+      "new_repo_base_role",
+      "new_repo_permission",
+      "token_scopes",
+      "programmatic_access_type",
+      "actor_is_bot"
+    ]
+  },
+  {
+    "action": "repository_image.create",
+    "description": "An image to represent a repository was uploaded.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "repo_id",
+      "action",
+      "request_id",
+      "actor",
+      "content_type",
+      "repo",
+      "@timestamp",
+      "_document_id",
+      "user",
+      "user_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_image.destroy",
+    "description": "An image to represent a repository was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "content_type",
+      "created_at",
+      "actor_id",
+      "user_id",
+      "operation_type",
+      "request_id",
+      "_document_id",
+      "actor",
+      "repo_id",
+      "user_agent",
+      "repo",
+      "user",
+      "action",
+      "@timestamp",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_invitation.accept",
+    "description": "An invitation to join a repository was accepted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "created_at",
+      "request_id",
+      "repo",
+      "invitee",
+      "operation_type",
+      "actor",
+      "repo_id",
+      "_document_id",
+      "action",
+      "user_agent",
+      "inviter",
+      "@timestamp",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_invitation.cancel",
+    "description": "An invitation to join a repository was canceled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "inviter",
+      "action",
+      "operation_type",
+      "_document_id",
+      "repo_id",
+      "repo",
+      "@timestamp",
+      "user_agent",
+      "invitee",
+      "created_at",
+      "request_id",
+      "actor",
+      "actor_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "repository_invitation.create",
+    "description": "An invitation to join a repository was sent.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "invitee",
+      "action",
+      "request_id",
+      "inviter",
+      "repo",
+      "created_at",
+      "user_agent",
+      "repo_id",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "repository_invitation.reject",
+    "description": "An invitation to join a repository was declined.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "repo",
+      "_document_id",
+      "actor",
+      "invitee",
+      "action",
+      "@timestamp",
+      "request_id",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "inviter",
+      "user_agent",
+      "repo_id"
+    ]
+  },
+  {
+    "action": "repository_ruleset.create",
+    "description": "A repository ruleset was created.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "ruleset_id",
+      "ruleset_name",
+      "ruleset_enforcement",
+      "ruleset_source_type",
+      "ruleset_rules",
+      "ruleset_conditions",
+      "ruleset_bypass_actors",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/creating-rulesets-for-a-repository"
+  },
+  {
+    "action": "repository_ruleset.destroy",
+    "description": "A repository ruleset was deleted.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "ruleset_id",
+      "ruleset_name",
+      "ruleset_enforcement",
+      "ruleset_source_type",
+      "ruleset_rules",
+      "ruleset_bypass_actors",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#deleting-a-ruleset"
+  },
+  {
+    "action": "repository_ruleset.update",
+    "description": "A repository ruleset was edited.",
+    "docs_reference_links": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "old_name",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "ruleset_id",
+      "ruleset_name",
+      "ruleset_enforcement",
+      "ruleset_source_type",
+      "ruleset_rules_updated",
+      "ruleset_conditions_added",
+      "ruleset_conditions_deleted",
+      "ruleset_old_enforcement",
+      "ruleset_rules_added",
+      "ruleset_rules_deleted",
+      "ruleset_old_name",
+      "ruleset_conditions_updated",
+      "ruleset_bypass_actors_added",
+      "ruleset_bypass_actors_deleted",
+      "ruleset_bypass_actors_updated",
+      "actor_is_bot"
+    ],
+    "docs_reference_titles": "/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#editing-a-ruleset"
+  },
+  {
+    "action": "security_key.register",
+    "description": "A security key was registered for an account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "user",
+      "created_at",
+      "user_id",
+      "action",
+      "operation_type",
+      "request_id",
+      "@timestamp",
+      "_document_id",
+      "actor",
+      "user_agent",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "security_key.remove",
+    "description": "A security key was removed from an account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "user_id",
+      "operation_type",
+      "_document_id",
+      "user_agent",
+      "@timestamp",
+      "request_id",
+      "actor_id",
+      "action",
+      "created_at",
+      "user",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "social_identity.linked",
+    "description": "A user linked a social identity to their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user_id",
+      "action",
+      "actor_id",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "social_identity.unlinked",
+    "description": "A user unlinked a social identity from their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "social_identity.unlinked_all",
+    "description": "A user unlinked all social identities from their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "request_access_security_header",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "sponsors.agreement_sign",
+    "description": "A GitHub Sponsors agreement was signed on behalf of an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "sponsors_listing_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "sponsors.custom_amount_settings_change",
+    "description": "Custom amounts for GitHub Sponsors were enabled or disabled, or the suggested custom amount was changed.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "sponsors_listing_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers"
+  },
+  {
+    "action": "sponsors.fiscal_host_change",
+    "description": "The fiscal host for a GitHub Sponsors listing was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "org",
+      "org_id",
+      "sponsors_listing_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "sponsors.repo_funding_links_file_action",
+    "description": "The FUNDING file in a repository was changed.",
+    "docs_reference_links": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository",
+    "fields": [
+      "@timestamp",
+      "action",
+      "created_at",
+      "_document_id",
+      "request_id",
+      "repository",
+      "repository_id",
+      "actor",
+      "user_agent",
+      "actor_id",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository"
+  },
+  {
+    "action": "sponsors.sponsor_sponsorship_cancel",
+    "description": "A sponsorship was canceled.",
+    "docs_reference_links": "/billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship",
+    "fields": [
+      "operation_type",
+      "_document_id",
+      "created_at",
+      "actor",
+      "user",
+      "action",
+      "actor_id",
+      "user_id",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "Downgrading a sponsorship"
+  },
+  {
+    "action": "sponsors.sponsor_sponsorship_create",
+    "description": "A sponsorship was created, by sponsoring an account.",
+    "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes",
+    "fields": [
+      "actor",
+      "user_id",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "user",
+      "operation_type",
+      "created_at",
+      "actor_id",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes"
+  },
+  {
+    "action": "sponsors.sponsor_sponsorship_payment_complete",
+    "description": "After you sponsor an account and a payment has been processed, the sponsorship payment was marked as complete.",
+    "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes",
+    "fields": [
+      "active",
+      "user",
+      "user_id",
+      "actor",
+      "actor_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/about-sponsorships-fees-and-taxes"
+  },
+  {
+    "action": "sponsors.sponsor_sponsorship_preference_change",
+    "description": "The option to receive email updates from a sponsored account was changed.",
+    "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship",
+    "fields": [
+      "actor_id",
+      "action",
+      "@timestamp",
+      "request_id",
+      "user_id",
+      "created_at",
+      "user",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/sponsors/sponsoring-open-source-contributors/managing-your-sponsorship"
+  },
+  {
+    "action": "sponsors.sponsor_sponsorship_tier_change",
+    "description": "A sponsorship was upgraded or downgraded.",
+    "docs_reference_links": "/billing/managing-billing-for-github-sponsors/upgrading-a-sponsorship, /billing/managing-billing-for-github-sponsors/downgrading-a-sponsorship",
+    "fields": [
+      "user_id",
+      "actor",
+      "actor_id",
+      "action",
+      "user",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "created_at"
+    ],
+    "docs_reference_titles": "Upgrading a sponsorship, Downgrading a sponsorship"
+  },
+  {
+    "action": "sponsors.sponsored_developer_approve",
+    "description": "A GitHub Sponsors account was approved.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account",
+    "fields": [
+      "user_id",
+      "action",
+      "user_agent",
+      "request_id",
+      "actor",
+      "user",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "actor_id",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account"
+  },
+  {
+    "action": "sponsors.sponsored_developer_create",
+    "description": "A GitHub Sponsors account was created.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account",
+    "fields": [
+      "user_id",
+      "operation_type",
+      "request_id",
+      "actor_id",
+      "@timestamp",
+      "_document_id",
+      "user",
+      "action",
+      "created_at",
+      "user_agent",
+      "actor"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account"
+  },
+  {
+    "action": "sponsors.sponsored_developer_disable",
+    "description": "A GitHub Sponsors account was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "sponsors_listing_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "sponsors.sponsored_developer_profile_update",
+    "description": "The profile for GitHub Sponsors account was edited.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors",
+    "fields": [
+      "@timestamp",
+      "actor_id",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "request_id",
+      "actor",
+      "action",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/editing-your-profile-details-for-github-sponsors"
+  },
+  {
+    "action": "sponsors.sponsored_developer_redraft",
+    "description": "A GitHub Sponsors account was returned to draft state from approved state.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "created_at",
+      "request_id",
+      "user",
+      "action",
+      "user_agent",
+      "operation_type",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "user_id"
+    ]
+  },
+  {
+    "action": "sponsors.sponsored_developer_request_approval",
+    "description": "An application for GitHub Sponsors was submitted for approval.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account",
+    "fields": [
+      "user_agent",
+      "user",
+      "@timestamp",
+      "actor_id",
+      "user_id",
+      "request_id",
+      "_document_id",
+      "actor",
+      "action",
+      "operation_type",
+      "created_at"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account"
+  },
+  {
+    "action": "sponsors.sponsored_developer_tier_description_update",
+    "description": "The description for a sponsorship tier was changed.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers",
+    "fields": [
+      "operation_type",
+      "request_id",
+      "actor",
+      "user_id",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "actor_id",
+      "user",
+      "created_at"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/managing-your-sponsorship-tiers"
+  },
+  {
+    "action": "sponsors.sponsored_developer_update_newsletter_send",
+    "description": "Triggered when you send an email update to your sponsors.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors",
+    "fields": [
+      "request_id",
+      "actor",
+      "action",
+      "user_agent",
+      "operation_type",
+      "_document_id",
+      "created_at",
+      "actor_id",
+      "user",
+      "user_id",
+      "@timestamp"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/contacting-your-sponsors"
+  },
+  {
+    "action": "sponsors.sponsors_patreon_user_create",
+    "description": "A Patreon account was linked to a user account for use with GitHub Sponsors.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "patreon_email",
+      "patreon_username",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/enabling-sponsorships-through-patreon#linking-your-patreon-account-to-your-github-account"
+  },
+  {
+    "action": "sponsors.sponsors_patreon_user_destroy",
+    "description": "A Patreon account for use with GitHub Sponsors was unlinked from a user account.",
+    "docs_reference_links": "/sponsors/sponsoring-open-source-contributors/unlinking-your-patreon-account-from-your-github-account",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "patreon_email",
+      "patreon_username",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ],
+    "docs_reference_titles": "Unlinking your Patreon account from GitHub"
+  },
+  {
+    "action": "sponsors.update_tier_repository",
+    "description": "A GitHub Sponsors tier changed access for a repository.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "sponsors_listing_id",
+      "repo",
+      "repo_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "sponsors.update_tier_welcome_message",
+    "description": "The welcome message for a GitHub Sponsors tier for an organization was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "sponsors_listing_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "sponsors.waitlist_join",
+    "description": "You join the waitlist to join GitHub Sponsors.",
+    "docs_reference_links": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account",
+    "fields": [
+      "request_id",
+      "actor",
+      "user_id",
+      "user_agent",
+      "actor_id",
+      "action",
+      "operation_type",
+      "created_at",
+      "user",
+      "@timestamp",
+      "_document_id"
+    ],
+    "docs_reference_titles": "/sponsors/receiving-sponsorships-through-github-sponsors/setting-up-github-sponsors-for-your-personal-account"
+  },
+  {
+    "action": "sponsors.withdraw_agreement_signature",
+    "description": "A signature was withdrawn from a GitHub Sponsors agreement that applies to an organization.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "sponsors_listing_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_add",
+    "description": "A parent issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.parent_issue_remove",
+    "description": "A parent issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_add",
+    "description": "A sub-issue was added to an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "sub_issues.sub_issue_remove",
+    "description": "A sub-issue was removed from an issue.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "title",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "successor_invitation.accept",
+    "description": "Triggered when you accept a succession invitation.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Maintaining ownership continuity of your personal account's repositories"
+  },
+  {
+    "action": "successor_invitation.cancel",
+    "description": "Triggered when you cancel a succession invitation.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Maintaining ownership continuity of your personal account's repositories"
+  },
+  {
+    "action": "successor_invitation.create",
+    "description": "Triggered when you create a succession invitation.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Maintaining ownership continuity of your personal account's repositories"
+  },
+  {
+    "action": "successor_invitation.decline",
+    "description": "Triggered when you decline a succession invitation.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Maintaining ownership continuity of your personal account's repositories"
+  },
+  {
+    "action": "successor_invitation.destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "successor_invitation.revoke",
+    "description": "Triggered when you revoke a succession invitation.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-access-to-your-personal-repositories/maintaining-ownership-continuity-of-your-personal-accounts-repositories",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Maintaining ownership continuity of your personal account's repositories"
+  },
+  {
+    "action": "trusted_device.register",
+    "description": "A new trusted device was added.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "trusted_device.remove",
+    "description": "A trusted device was removed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "two_factor_account_recovery.abort",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "action",
+      "request_id",
+      "user_id",
+      "@timestamp",
+      "_document_id",
+      "user",
+      "user_agent",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "two_factor_account_recovery.complete",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "@timestamp",
+      "created_at",
+      "user_id",
+      "operation_type",
+      "user",
+      "_document_id",
+      "user_agent",
+      "action"
+    ]
+  },
+  {
+    "action": "two_factor_account_recovery.ignore",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "_document_id",
+      "created_at",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "user",
+      "action"
+    ]
+  },
+  {
+    "action": "two_factor_account_recovery.staff_approve",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "request_id",
+      "user",
+      "user_id",
+      "user_agent",
+      "operation_type",
+      "action",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "two_factor_account_recovery.staff_decline",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "actor",
+      "action",
+      "@timestamp",
+      "user_agent",
+      "operation_type",
+      "user",
+      "created_at",
+      "request_id",
+      "actor_id",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "two_factor_account_recovery.start",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "operation_type",
+      "@timestamp",
+      "user_agent",
+      "request_id",
+      "created_at",
+      "user_id",
+      "action",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "two_factor_account_recovery.two_factor_destroy",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "user_id",
+      "action",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "user",
+      "_document_id",
+      "request_id"
+    ]
+  },
+  {
+    "action": "two_factor_authentication.add_factor",
+    "description": "A secondary authentication factor was added to a user account.",
+    "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication"
+  },
+  {
+    "action": "two_factor_authentication.disabled",
+    "description": "Two-factor authentication was disabled for a user account.",
+    "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/disabling-two-factor-authentication-for-your-personal-account",
+    "fields": [
+      "actor",
+      "action",
+      "_document_id",
+      "user_agent",
+      "user",
+      "user_id",
+      "actor_id",
+      "created_at",
+      "operation_type",
+      "request_id",
+      "@timestamp",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Disabling two-factor authentication for your personal account"
+  },
+  {
+    "action": "two_factor_authentication.enabled",
+    "description": "Two-factor authentication was enabled for a user account.",
+    "docs_reference_links": "https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication",
+    "fields": [
+      "actor",
+      "operation_type",
+      "user_agent",
+      "action",
+      "created_at",
+      "actor_id",
+      "@timestamp",
+      "request_id",
+      "user",
+      "user_id",
+      "_document_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Configuring two-factor authentication"
+  },
+  {
+    "action": "two_factor_authentication.password_reset_fallback_sms",
+    "description": "A one-time password code was sent to a user account fallback phone number.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "created_at",
+      "user",
+      "user_id",
+      "action",
+      "@timestamp",
+      "request_id",
+      "_document_id",
+      "user_agent"
+    ]
+  },
+  {
+    "action": "two_factor_authentication.recovery_codes_regenerated",
+    "description": "Two factor recovery codes were regenerated for a user account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor",
+      "operation_type",
+      "_document_id",
+      "user_id",
+      "action",
+      "user",
+      "user_agent",
+      "actor_id",
+      "@timestamp",
+      "created_at"
+    ]
+  },
+  {
+    "action": "two_factor_authentication.remove_factor",
+    "description": "A secondary authentication factor was removed from a user account.",
+    "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication"
+  },
+  {
+    "action": "two_factor_authentication.sign_in_fallback_sms",
+    "description": "A one-time password code was sent to a user account fallback phone number.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "operation_type",
+      "user_id",
+      "user",
+      "user_agent",
+      "created_at",
+      "_document_id",
+      "action",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "two_factor_authentication.update_fallback",
+    "description": "The two-factor authentication fallback for a user account was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "user",
+      "user_id",
+      "operation_type",
+      "user_agent",
+      "action",
+      "request_id",
+      "actor",
+      "actor_id"
+    ]
+  },
+  {
+    "action": "user.add_email",
+    "description": "An email address was added to a user account.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-email-preferences/adding-an-email-address-to-your-github-account",
+    "fields": [
+      "action",
+      "request_id",
+      "user",
+      "user_id",
+      "user_agent",
+      "operation_type",
+      "_document_id",
+      "actor_id",
+      "actor",
+      "email",
+      "@timestamp",
+      "created_at",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Adding an email address to your GitHub account"
+  },
+  {
+    "action": "user.async_delete",
+    "description": "An asynchronous job was started to destroy a user account, eventually triggering a user.delete event.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "user_id",
+      "created_at",
+      "user",
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "actor_id",
+      "operation_type",
+      "user_agent",
+      "action",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.audit_log_export",
+    "description": "Audit log entries were exported.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "user",
+      "action",
+      "request_id",
+      "actor",
+      "@timestamp",
+      "_document_id",
+      "user_agent",
+      "user_id",
+      "operation_type",
+      "created_at"
+    ]
+  },
+  {
+    "action": "user.block_user",
+    "description": "A user was blocked by another user.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "action",
+      "actor",
+      "user_id",
+      "_document_id",
+      "actor_id",
+      "@timestamp",
+      "user_agent",
+      "user",
+      "request_id",
+      "blocked_user",
+      "operation_type",
+      "created_at",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.change_password",
+    "description": "A user changed their password.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "actor_id",
+      "operation_type",
+      "actor",
+      "user",
+      "user_id",
+      "action",
+      "created_at",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.codespaces_trusted_repo_access_granted",
+    "description": "Triggered when you allow the codespaces you create for a repository to access other repositories owned by your personal account.",
+    "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Managing access to other repositories within your codespace"
+  },
+  {
+    "action": "user.codespaces_trusted_repo_access_revoked",
+    "description": "Triggered when you disallow the codespaces you create for a repository to access other repositories owned by your personal account.",
+    "docs_reference_links": "/codespaces/managing-codespaces-for-your-organization/managing-repository-access-for-your-organizations-codespaces",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ],
+    "docs_reference_titles": "Managing access to other repositories within your codespace"
+  },
+  {
+    "action": "user.create",
+    "description": "A new user account was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "email",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "request_id",
+      "user",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "actor_id",
+      "action",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "user.create_integration_secret",
+    "description": "A user secret for Codespaces was created.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.creation_rate_limit_exceeded",
+    "description": "The rate of creation of user accounts, applications, issues, pull requests or other resources exceeded the configured rate limits, or too many users were followed too quickly.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "created_at",
+      "user_agent",
+      "_document_id",
+      "operation_type",
+      "oauth_application_id",
+      "action",
+      "actor",
+      "actor_id",
+      "request_id",
+      "user_id",
+      "@timestamp",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "user.delete",
+    "description": "A user account was destroyed by an asynchronous job.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "action",
+      "request_id",
+      "user_id",
+      "actor",
+      "actor_id",
+      "user",
+      "@timestamp",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.demote",
+    "description": "A site administrator was demoted to an ordinary user account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "oauth_application_id",
+      "action",
+      "user",
+      "created_at",
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "operation_type",
+      "_document_id",
+      "user_id",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.destroy",
+    "description": "A user deleted his or her account, triggering user.async_delete.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor",
+      "user",
+      "_document_id",
+      "created_at",
+      "user_agent",
+      "user_id",
+      "operation_type",
+      "actor_id",
+      "action",
+      "@timestamp",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.device_verification_failure",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "actor",
+      "created_at",
+      "_document_id",
+      "@timestamp",
+      "user",
+      "user_agent",
+      "user_id",
+      "actor_id",
+      "action",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.device_verification_requested",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "user_id",
+      "actor",
+      "operation_type",
+      "created_at",
+      "_document_id",
+      "@timestamp",
+      "user",
+      "actor_id",
+      "action",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.device_verification_success",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "user",
+      "_document_id",
+      "action",
+      "operation_type",
+      "user_agent",
+      "created_at",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.disable_collaborators_only",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "user.disable_contributors_only",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "user.disable_sockpuppet_disallowed",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "user_email.confirm_claim",
+    "description": "An enterprise managed user claimed an email address.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user_email.mark_as_unclaimed",
+    "description": "N/A",
+    "docs_reference_links": "An enterprise managed user unclaimed an email address.",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "business",
+      "business_id",
+      "actor_is_bot",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "An, GitHub Help Documentation, managed, user, unclaimed, an, email, address."
+  },
+  {
+    "action": "user.enable_collaborators_only",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "user.enable_contributors_only",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "user.enable_sockpuppet_disallowed",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id"
+    ]
+  },
+  {
+    "action": "user.failed_login",
+    "description": "A user tried to sign in with an incorrect username, password, or two-factor authentication code.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "action",
+      "operation_type",
+      "request_id",
+      "created_at",
+      "_document_id",
+      "@timestamp",
+      "user",
+      "org_id",
+      "actor",
+      "actor_id",
+      "user_agent"
+    ]
+  },
+  {
+    "action": "user.forgot_password",
+    "description": "A user requested a password reset.",
+    "docs_reference_links": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials",
+    "fields": [
+      "action",
+      "_document_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "operation_type",
+      "@timestamp",
+      "email",
+      "created_at",
+      "user_id",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "/authentication/keeping-your-account-and-data-secure/updating-your-github-access-credentials"
+  },
+  {
+    "action": "user.grant_github_developer",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "action",
+      "created_at",
+      "user_agent",
+      "@timestamp",
+      "_document_id",
+      "user",
+      "user_id",
+      "actor",
+      "operation_type",
+      "request_id"
+    ]
+  },
+  {
+    "action": "user.hide_private_contributions_count",
+    "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now hidden.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Manage visibility settings for private contributions"
+  },
+  {
+    "action": "user.login",
+    "description": "A user signed in.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "user_id",
+      "actor_id",
+      "@timestamp",
+      "user",
+      "action",
+      "operation_type",
+      "_document_id",
+      "request_id",
+      "created_at",
+      "actor",
+      "passkey_nickname",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.logout",
+    "description": "A user signed out.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.new_device_used",
+    "description": "A user signed in from a new device.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "user_id",
+      "actor",
+      "operation_type",
+      "created_at",
+      "user_agent",
+      "actor_id",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.promote",
+    "description": "An ordinary user account was promoted to a site administrator.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "action",
+      "actor",
+      "actor_id",
+      "user",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "oauth_application_id",
+      "request_id",
+      "operation_type",
+      "_document_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.recreate",
+    "description": "A user's account was restored.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "user",
+      "action",
+      "actor_id",
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "user_id",
+      "created_at",
+      "actor",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "user.remove_email",
+    "description": "An email address was removed from a user account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "user",
+      "user_id",
+      "operation_type",
+      "actor",
+      "actor_id",
+      "created_at",
+      "email",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "user.remove_integration_secret",
+    "description": "A user secret for Codespaces was deleted.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.rename",
+    "description": "A username was changed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "action",
+      "request_id",
+      "actor_id",
+      "old_login",
+      "created_at",
+      "_document_id",
+      "actor",
+      "user_id",
+      "@timestamp",
+      "operation_type",
+      "user_agent",
+      "token_scopes",
+      "programmatic_access_type"
+    ]
+  },
+  {
+    "action": "user.reset_password",
+    "description": "A user reset their account password.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "action",
+      "user_agent",
+      "user",
+      "request_id",
+      "user_id",
+      "created_at",
+      "@timestamp",
+      "_document_id",
+      "actor",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user_session.country_change",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "created_at",
+      "request_id",
+      "user_id",
+      "action",
+      "@timestamp",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "user",
+      "user_agent",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "user.show_private_contributions_count",
+    "description": "A user changed the visibility of their private contributions. The number of contributions to private repositories on the user's profile are now shown.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/managing-contribution-settings-on-your-profile/showing-your-private-contributions-and-achievements-on-your-profile",
+    "fields": [
+      "@timestamp",
+      "_document_id",
+      "request_id",
+      "user_id",
+      "action",
+      "actor",
+      "user",
+      "operation_type",
+      "user_agent",
+      "actor_id",
+      "created_at",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Manage visibility settings for private contributions"
+  },
+  {
+    "action": "user.sign_in_from_unrecognized_device",
+    "description": "A user signed in from an unrecognized device.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "action",
+      "_document_id",
+      "user_agent",
+      "user",
+      "user_id",
+      "operation_type",
+      "created_at",
+      "actor",
+      "actor_id",
+      "@timestamp",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.sign_in_from_unrecognized_device_and_location",
+    "description": "A user signed in from an unrecognized device and location.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user",
+      "user_id",
+      "@timestamp",
+      "user_agent",
+      "created_at",
+      "_document_id",
+      "request_id",
+      "action",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user_status.destroy",
+    "description": "Triggered when you clear the status on your profile.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "org",
+      "user_id",
+      "actor",
+      "message",
+      "user",
+      "actor_id",
+      "created_at",
+      "request_id",
+      "limited_availability",
+      "action",
+      "emoji",
+      "operation_type",
+      "user_agent",
+      "@timestamp",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user_status.update",
+    "description": "Triggered when you set or change the status on your profile.",
+    "docs_reference_links": "/account-and-profile/setting-up-and-managing-your-github-profile/customizing-your-profile/personalizing-your-profile#setting-a-status",
+    "fields": [
+      "limited_availability",
+      "user",
+      "action",
+      "actor_id",
+      "message",
+      "user_id",
+      "created_at",
+      "_document_id",
+      "request_id",
+      "@timestamp",
+      "user_agent",
+      "emoji",
+      "org",
+      "actor",
+      "operation_type",
+      "token_scopes",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Personalize your profile"
+  },
+  {
+    "action": "user.suspend",
+    "description": "A user account was suspended.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "oauth_application_id",
+      "operation_type",
+      "actor_id",
+      "user",
+      "user_agent",
+      "request_id",
+      "actor",
+      "created_at",
+      "_document_id",
+      "@timestamp",
+      "user_id",
+      "action",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.toggle_warn_private_email",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "user",
+      "actor_id",
+      "@timestamp",
+      "operation_type",
+      "_document_id",
+      "user_agent",
+      "actor",
+      "action",
+      "user_id",
+      "created_at",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.two_factor_challenge_failure",
+    "description": "A 2FA challenge issued for a user account failed.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "operation_type",
+      "created_at",
+      "_document_id",
+      "user_agent",
+      "user",
+      "actor_id",
+      "actor",
+      "user_id",
+      "@timestamp",
+      "action",
+      "request_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.two_factor_challenge_success",
+    "description": "A 2FA challenge issued for a user account succeeded.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "@timestamp",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "actor_id",
+      "user",
+      "actor",
+      "user_agent",
+      "request_id",
+      "action",
+      "created_at",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.two_factor_recover",
+    "description": "A user used their 2FA recovery codes.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "operation_type",
+      "user_agent",
+      "request_id",
+      "user",
+      "action",
+      "actor",
+      "actor_id",
+      "created_at",
+      "@timestamp",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.two_factor_recovery_codes_downloaded",
+    "description": "A user downloaded 2FA recovery codes for their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_id",
+      "operation_type",
+      "actor_id",
+      "user",
+      "request_id",
+      "action",
+      "@timestamp",
+      "created_at",
+      "user_agent",
+      "actor",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.two_factor_recovery_codes_printed",
+    "description": "A user printed 2FA recovery codes for their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user",
+      "action",
+      "operation_type",
+      "user_agent",
+      "request_id",
+      "user_id",
+      "created_at",
+      "_document_id",
+      "actor",
+      "actor_id",
+      "@timestamp"
+    ]
+  },
+  {
+    "action": "user.two_factor_recovery_codes_viewed",
+    "description": "A user viewed 2FA recovery codes for their account.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "user_agent",
+      "actor",
+      "user_id",
+      "action",
+      "created_at",
+      "user",
+      "operation_type",
+      "@timestamp",
+      "request_id",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.two_factor_requested",
+    "description": "A user was prompted for a two-factor authentication code.",
+    "docs_reference_links": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication",
+    "fields": [
+      "user",
+      "actor_id",
+      "action",
+      "user_agent",
+      "request_id",
+      "created_at",
+      "_document_id",
+      "user_id",
+      "operation_type",
+      "@timestamp",
+      "actor"
+    ],
+    "docs_reference_titles": "/authentication/securing-your-account-with-two-factor-authentication-2fa/accessing-github-using-two-factor-authentication"
+  },
+  {
+    "action": "user.unblock_user",
+    "description": "A user was unblocked by another user.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor_id",
+      "action",
+      "request_id",
+      "_document_id",
+      "blocked_user",
+      "operation_type",
+      "actor",
+      "@timestamp",
+      "user_agent",
+      "user_id",
+      "user",
+      "created_at",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.unsuspend",
+    "description": "A user account was unsuspended.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "request_id",
+      "_document_id",
+      "user",
+      "action",
+      "user_agent",
+      "actor",
+      "oauth_application_id",
+      "operation_type",
+      "actor_id",
+      "created_at",
+      "@timestamp",
+      "user_id",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.update_integration_secret",
+    "description": "A user secret for Codespaces was updated.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "key",
+      "visibility",
+      "integration",
+      "user",
+      "user_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "user.update_new_repository_default_branch_setting",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "created_at",
+      "user",
+      "user_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "_document_id",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "workflows.approve_workflow_job",
+    "description": "A workflow job was approved.",
+    "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "workflow_run_id",
+      "run_number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "business",
+      "business_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "token_scopes",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Reviewing deployments"
+  },
+  {
+    "action": "workflows.bypass_protection_rules",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "workflow_run_id",
+      "run_number",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "workflows.comment_workflow_job",
+    "description": "N/A",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "token_id",
+      "hashed_token",
+      "programmatic_access_type",
+      "actor",
+      "actor_id",
+      "workflow_run_id",
+      "run_number",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "org",
+      "org_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type"
+    ]
+  },
+  {
+    "action": "workflows.delete_workflow_run",
+    "description": "A workflow run was deleted.",
+    "docs_reference_links": "/actions/managing-workflow-runs/deleting-a-workflow-run",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "workflow_run_id",
+      "started_at",
+      "head_branch",
+      "head_sha",
+      "trigger_id",
+      "programmatic_access_type"
+    ],
+    "docs_reference_titles": "Deleting a workflow run"
+  },
+  {
+    "action": "workflows.disable_workflow",
+    "description": "A workflow was disabled.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "workflow_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "workflows.enable_workflow",
+    "description": "A workflow was enabled, after previously being disabled by disable_workflow.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "repo",
+      "repo_id",
+      "workflow_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "workflows.pin_workflow",
+    "description": "A workflow was pinned.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "workflow_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  },
+  {
+    "action": "workflows.reject_workflow_job",
+    "description": "A workflow job was rejected.",
+    "docs_reference_links": "/actions/managing-workflow-runs/reviewing-deployments",
+    "fields": [
+      "user_agent",
+      "request_id",
+      "actor",
+      "actor_id",
+      "workflow_run_id",
+      "run_number",
+      "user",
+      "user_id",
+      "repo",
+      "repo_id",
+      "action",
+      "operation_type",
+      "@timestamp",
+      "created_at",
+      "_document_id",
+      "public_repo",
+      "programmatic_access_type",
+      "request_access_security_header"
+    ],
+    "docs_reference_titles": "Reviewing deployments"
+  },
+  {
+    "action": "workflows.unpin_workflow",
+    "description": "A workflow was unpinned after previously being pinned.",
+    "docs_reference_links": "N/A",
+    "fields": [
+      "actor",
+      "actor_id",
+      "user_agent",
+      "request_id",
+      "repo",
+      "repo_id",
+      "public_repo",
+      "workflow_id",
+      "org",
+      "org_id",
+      "business",
+      "business_id",
+      "action",
+      "_document_id",
+      "@timestamp",
+      "created_at",
+      "operation_type",
+      "actor_is_bot",
+      "request_access_security_header"
+    ]
+  }
+]
\ No newline at end of file
diff --git a/src/audit-logs/lib/config.json b/src/audit-logs/lib/config.json
index 6db36cc38448..cfc2750338db 100644
--- a/src/audit-logs/lib/config.json
+++ b/src/audit-logs/lib/config.json
@@ -9,5 +9,5 @@
     "git": "Note: Git events have special access requirements and retention policies that differ from other audit log events. For GitHub Enterprise Cloud, access Git events via the REST API only with 7-day retention. For GitHub Enterprise Server, Git events must be enabled in audit log configuration and are not included in search results.",
     "sso_redirect": "Note: Automatically redirecting users to sign in is currently in beta for Enterprise Managed Users and subject to change."
   },
-  "sha": "1fd7e8dc57f677be202bb6e7024a2ec4b16fd469"
+  "sha": "200887873e2afa17d119188c6b42b0b04248a862"
 }
\ No newline at end of file