elastic · kcreddy · Dec 29, 2025 · Dec 24, 2025 · Dec 24, 2025 · Dec 24, 2025
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "2.20.0"
+  changes:
+    - description: Update `event.kind` to "alert" for `code_scanning.alert_created` and `secret_scanning_alert.create` actions.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/16693
 - version: "2.19.0"
   changes:
     - description: Document the limitation of Issues API for organization-level queries.

@@ -193,3 +193,4 @@
 {"@timestamp":1692981844013,"_document_id":"o3FQ28lbx0JLWX3ltZk84A","action":"integration_installation.repositories_added","actor":"radsectec","actor_id":142823021,"actor_location":{"country_code":"US"},"business":"rad-sec-tec","business_id":67609,"created_at":1692981844013,"integration":"Create Issue Branch","name":"Create Issue Branch","operation_type":"create","org":"onyxsectec","org_id":142831595,"repositories_added":[683120812],"repositories_added_names":["onyxsectec/25"],"repository_selection":"all","user_agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/116.0"}
 {"@timestamp":1695226819136,"_document_id":"ZbucfL_5S6qrIB3y7Ya2ww","action":"integration_installation.repositories_removed","actor":"imays11","actor_id":59296946,"business":"rad-sec-tec","business_id":67609,"created_at":1695226819136,"integration":"Create Issue Branch","name":"Create Issue Branch","operation_type":"remove","org":"onyxsectec","org_id":142831595,"repositories_removed":[683120812],"repositories_removed_names":["onyxsectec/25"],"repository_selection":"all","topic":"github.repositories.v1.Deleted"}
 {"@timestamp":1674454040515,"action":"hook.create","active":true,"actor":"userdeserve","actor_id":23123,"actor_location":{"country_code":"US"},"business":"deserve","business_id":3231,"created_at":1674454840535,"events":[{"test":"yes"}],"hashed_token":"12387sdjbqas17827ty1o2u313","hook_id":23122678,"name":"webhook","oauth_application":null,"oauth_application_id":null,"operation_type":"create","org":"trustfactors","org_id":324235623,"programmatic_access_type":"Authentication token created before 2021-04-05","public_repo":false,"repo":"org/repo","repo_id":266143714,"token_id":213123634,"token_scopes":"repo","user_agent":"AWS CodePipeline"}
+{"@timestamp":1766585825019,"_document_id":"f8c2d4a1-9e7b-4f3c-a5d6-2b8e1c0f9a47","action":"secret_scanning_alert.create","actor":"github","actor_id":9999,"business":"sample-business.org","business_id":111111,"created_at":1766585825019,"multi_repo":true,"number":1,"org":"sample-organization","org_id":333333,"publicly_leaked":false,"repo":"sample-organization/sample-repository","repo_id":222222,"secret_type":"password","secret_type_display_name":"Password"}
@@ -8186,6 +8186,53 @@
                 "name": "Other",
                 "original": "AWS CodePipeline"
             }
+        },
+        {
+            "@timestamp": "2025-12-24T14:17:05.019Z",
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "action": "secret_scanning_alert.create",
+                "category": [
+                    "configuration",
+                    "web"
+                ],
+                "id": "f8c2d4a1-9e7b-4f3c-a5d6-2b8e1c0f9a47",
+                "kind": "alert",
+                "original": "{\"@timestamp\":1766585825019,\"_document_id\":\"f8c2d4a1-9e7b-4f3c-a5d6-2b8e1c0f9a47\",\"action\":\"secret_scanning_alert.create\",\"actor\":\"github\",\"actor_id\":9999,\"business\":\"sample-business.org\",\"business_id\":111111,\"created_at\":1766585825019,\"multi_repo\":true,\"number\":1,\"org\":\"sample-organization\",\"org_id\":333333,\"publicly_leaked\":false,\"repo\":\"sample-organization/sample-repository\",\"repo_id\":222222,\"secret_type\":\"password\",\"secret_type_display_name\":\"Password\"}",
+                "type": [
+                    "creation"
+                ]
+            },
+            "github": {
+                "actor_id": "9999",
+                "business": "sample-business.org",
+                "business_id": "111111",
+                "category": "secret_scanning_alert",
+                "multi_repo": true,
+                "number": 1,
+                "org": "sample-organization",
+                "org_id": "333333",
+                "publicly_leaked": false,
+                "repo": "sample-organization/sample-repository",
+                "repo_id": "222222",
+                "secret_type": "password",
+                "secret_type_display_name": "Password"
+            },
+            "related": {
+                "user": [
+                    "github",
+                    "9999"
+                ]
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "id": "9999",
+                "name": "github"
+            }
         }
     ]
 }
@@ -1,9 +1,6 @@
 ---
 description: Pipeline for parsing GitHub audit logs
 processors:
-  - set:
-      field: event.kind
-      value: event
   - set:
       field: ecs.version
       value: '8.11.0'
@@ -76,6 +73,14 @@ processors:
       field: github.action
       target_field: event.action
       ignore_missing: true
+  - set:
+      field: event.kind
+      value: alert
+      if: ctx.event?.action?.equalsIgnoreCase('code_scanning.alert_created') == true || ctx.event?.action?.equalsIgnoreCase('secret_scanning_alert.create') == true
+  - set:
+      field: event.kind
+      value: event
+      if: ctx.event?.kind == null
   - rename:
       field: github.actor
       target_field: user.name

@@ -94,10 +94,14 @@
       type: keyword
     - name: message
       type: keyword
+    - name: multi_repo
+      type: boolean
     - name: name
       type: keyword
     - name: new_role
       type: keyword
+    - name: number
+      type: long
     - name: old_role
       type: keyword
     - name: operation_type
@@ -118,6 +122,8 @@
         Type of authentication used.
     - name: public_repo
       type: boolean
+    - name: publicly_leaked
+      type: boolean
     - name: pull_request_id
       type: keyword
     - name: pull_request_title
@@ -158,6 +164,10 @@
         The name of the repository.
     - name: request_category
       type: keyword
+    - name: secret_type
+      type: keyword
+    - name: secret_type_display_name
+      type: keyword
     - name: secrets_updated
       type: keyword
     - name: source_branch

@@ -97,15 +97,18 @@ For Filebeat input documentation, refer to the following pages:
 | github.login_method |  | keyword |
 | github.logout_reason |  | keyword |
 | github.message |  | keyword |
+| github.multi_repo |  | boolean |
 | github.name |  | keyword |
 | github.new_role |  | keyword |
+| github.number |  | long |
 | github.old_role |  | keyword |
 | github.operation_type |  | keyword |
 | github.org | GitHub organization name. | keyword |
 | github.org_id |  | keyword |
 | github.permission | GitHub user permissions for the event. | keyword |
 | github.programmatic_access_type | Type of authentication used. | keyword |
 | github.public_repo |  | boolean |
+| github.publicly_leaked |  | boolean |
 | github.pull_request_id |  | keyword |
 | github.pull_request_title |  | keyword |
 | github.pull_request_url |  | keyword |
@@ -120,6 +123,8 @@ For Filebeat input documentation, refer to the following pages:
 | github.repository_public | Whether the GitHub repository is publicly visible. | boolean |
 | github.repository_selection | Whether all repositories have been selected or there's a selection involved. | keyword |
 | github.request_category |  | keyword |
+| github.secret_type |  | keyword |
+| github.secret_type_display_name |  | keyword |
 | github.secrets_updated |  | keyword |
 | github.source_branch |  | keyword |
 | github.target_branch |  | keyword |

@@ -1,6 +1,6 @@
 name: github
 title: GitHub
-version: "2.19.0"
+version: "2.20.0"
 description: Collect logs from GitHub with Elastic Agent.
 type: integration
 format_version: "3.4.0"