jprdonnelly/docs
1
0
Fork 0
mirror of synced 2025-12-19 18:10:59 -05:00
Code Issues Projects Releases Wiki Activity

Display actor IP address in organization's audit logs (#35364)

Browse Source
This commit is contained in:
Laura Coursen
2023-03-14 09:27:05 -05:00
committed by GitHub
parent f002576a3c
commit 56bef16f6e
9 changed files with 65 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/images/help/organizations/audit-log-source-ip-disclosure-tab.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 92 KiB

12
content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise.md
View File

@@ -16,22 +16,22 @@ topics:
## About display of IP addresses in the audit log
By default, {% data variables.product.product_name %} does not display the source IP address for events in your enterprise's audit log. Optionally, to ensure compliance and respond to threats, you can display the full IP address associated with the actor responsible for each event. Actors are typically users, but can also be apps or integrations.
By default, {% data variables.product.product_name %} does not display the source IP address for events in your enterprise's audit log. {% data reusables.audit_log.about-ip-display %}
You are responsible for meeting any legal obligations that accompany the viewing or storage of IP addresses displayed within your enterprise's audit log.
If you choose to display IP addresses, the IP addresses only appear in your enterprise's audit log. IP addresses will not appear for events in the audit logs for individual organizations owned by your enterprise. For more information about organization audit logs, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization)."
If you choose to display IP addresses for your enterprise account, the IP addresses will appear in both your enterprise's audit log and the audit log of every organization owned by your enterprise. Alternatively, you can enable the display of IP addresses in the audit log for individual organizations. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization)."
You can display IP addresses in the audit log regardless of which authentication method you use for your enterprise on {% data variables.location.product_location %}. For more information, see "[AUTOTITLE](/admin/identity-and-access-management/managing-iam-for-your-enterprise/about-authentication-for-your-enterprise)."
When anyone creates an account on {% data variables.location.product_location %}, the person agrees to {% data variables.product.company_short %}'s collection of basic information about connections to {% data variables.product.company_short %}'s services, including source IP address. For more information, see "[AUTOTITLE](/free-pro-team@latest/site-policy/privacy-policies/github-privacy-statement#usage-information)."
{% data reusables.audit_log.users-agree-to-ip-collection %}
## Events that display IP addresses in the audit log
{% data variables.product.product_name %} displays an IP address in the audit log when a member of the enterprise interacts with a resource owned by your enterprise or an organization in your enterprise. For example, you will see an IP address for audited events involving an internal or private repository owned by an organization in your enterprise, or resources associated with those repositories, such as an issue, pull request, action, or project.
If members of your enterprise access {% data variables.location.product_location %} with personal accounts that they manage, because you do not use {% data variables.product.prodname_emus %}, {% data variables.product.product_name %} does not display an event or IP address in the audit log for the following actions.
- Authentication to {% data variables.location.product_location %}
- Interactions with a resource owned by the personal account, including a repository, gist, or project
- Interactions with a public repository owned by an organization in your enterprise
@@ -44,9 +44,7 @@ If members of your enterprise access {% data variables.location.product_location
1. Under "Audit log", click **Source IP disclosure**.
![Screenshot of "Source IP disclosure" tab](/assets/images/help/enterprises/audit-log-source-ip-disclosure-tab.png)
1. Under "Disclose actor IP addresses in audit logs", select **Enable source IP disclosure**.
![Screenshot of checkbox to enable display of IP addresses in audit logs](/assets/images/help/enterprises/audit-log-enable-source-ip-disclosure-checkbox.png)
{% data reusables.audit_log.enable-ip-disclosure %}
1. Click **Save**.
After you enable the feature, you can access the audit log to view events that include IP addresses. For more information, see "[AUTOTITLE](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/accessing-the-audit-log-for-your-enterprise)."

49
content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization.md Normal file
View File

@@ -0,0 +1,49 @@
---
title: Displaying IP addresses in the audit log for your organization
intro: You can display the source IP address for events in your organization's audit log.
shortTitle: IP addresses in audit log
permissions: Organization owners can display IP addresses in the audit log for an enterprise.
versions:
feature: display-ip-org-audit-log
type: how_to
topics:
- Auditing
- Organizations
- Networking
- Security
---
{% note %}
**Note:** Displaying IP addresses in the audit log for an organization is in public beta and subject to change.
{% endnote %}
## About display of IP addresses in the audit log
By default, {% data variables.product.product_name %} does not display the source IP address for events in your organization's audit log. {% data reusables.audit_log.about-ip-display %}
You are responsible for meeting any legal obligations that accompany the viewing or storage of IP addresses displayed within your organization's audit log.
Alternatively, you can configure IP addresses at the enterprise level. For more information, see "[Displaying IP addresses in the audit log for your enterprise](/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/displaying-ip-addresses-in-the-audit-log-for-your-enterprise)."
{% data reusables.audit_log.users-agree-to-ip-collection %}
After you enable the feature, you can access the audit log to view events that include IP addresses. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization)."
## Events that display IP addresses in the audit log
{% data variables.product.product_name %} displays an IP address for each event in the organization audit log that meets these criteria.
- The actor is an organization member or owner
- The target is either an organization-owned repository that is private or internal, or an organization resource that is not a repository, such as a project.
## Enabling display of IP addresses in the audit log
{% data reusables.profile.access_org %}
{% data reusables.profile.org_settings %}
1. Click **Source IP disclosure**.
![Screenshot of the "Audit log" page for an organization. A tab, labeled "Source IP disclosure," is outlined in dark orange.](/assets/images/help/organizations/audit-log-source-ip-disclosure-tab.png)
{% data reusables.audit_log.enable-ip-disclosure %}
1. Click **Save**.

2
content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/index.md
View File

@@ -15,6 +15,6 @@ children:
- /managing-allowed-ip-addresses-for-your-organization
- /restricting-email-notifications-for-your-organization
- /reviewing-the-audit-log-for-your-organization
- /displaying-ip-addresses-in-the-audit-log-for-your-organization
- /accessing-compliance-reports-for-your-organization
---

6
content/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization.md
View File

@@ -475,12 +475,14 @@ For more information, see "[AUTOTITLE](/organizations/managing-organization-sett
| `cancel_invitation` | Triggered when an organization invitation has been revoked. {% endif %}{% ifversion fpt or ghes or ghec %}
| `create_actions_secret` | Triggered when a {% data variables.product.prodname_actions %} secret is created for an organization. For more information, see "[AUTOTITLE](/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-an-organization)."{% endif %} {% ifversion fpt or ghec %}
| `disable_oauth_app_restrictions` | Triggered when an owner [disables {% data variables.product.prodname_oauth_app %} access restrictions](/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization) for your organization.{% ifversion ghec %}
| `disable_saml` | Triggered when an organization admin disables SAML single sign-on for an organization.{% endif %}{% endif %}
| `disable_saml` | Triggered when an organization admin disables SAML single sign-on for an organization.{% endif %}{% endif %}{% ifversion display-ip-org-audit-log %}
| `disable_source_ip_disclosure` | Triggered when an organization owner disables the display of IP addresses in the audit log for the organization. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization)." | {% endif %}
| `disable_member_team_creation_permission` | Triggered when an organization owner limits team creation to owners. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization)." |{% ifversion not ghae %}
| `disable_two_factor_requirement` | Triggered when an owner disables a two-factor authentication requirement for all members{% ifversion fpt or ghec %}, billing managers,{% endif %} and outside collaborators in an organization.{% endif %}{% ifversion fpt or ghec %}
| `enable_oauth_app_restrictions` | Triggered when an owner [enables {% data variables.product.prodname_oauth_app %} access restrictions](/organizations/managing-oauth-access-to-your-organizations-data/enabling-oauth-app-access-restrictions-for-your-organization) for your organization.{% ifversion ghec %}
| `enable_saml` | Triggered when an organization admin [enables SAML single sign-on](/organizations/managing-saml-single-sign-on-for-your-organization/enabling-and-testing-saml-single-sign-on-for-your-organization) for an organization.{% endif %}{% endif %}
| `enable_member_team_creation_permission` | Triggered when an organization owner allows members to create teams. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization)." |{% ifversion not ghae %}
| `enable_member_team_creation_permission` | Triggered when an organization owner allows members to create teams. For more information, see "[AUTOTITLE](/organizations/managing-organization-settings/setting-team-creation-permissions-in-your-organization)." |{% ifversion display-ip-org-audit-log %}
| `enable_source_ip_disclosure` | Triggered when an organization owner enables the display of IP addresses in the audit log for the organization. For more information, see "[AUTOTITLE](/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/displaying-ip-addresses-in-the-audit-log-for-your-organization)." | {% endif %}{% ifversion not ghae %}
| `enable_two_factor_requirement` | Triggered when an owner requires two-factor authentication for all members{% ifversion fpt or ghec %}, billing managers,{% endif %} and outside collaborators in an organization.{% endif %}{% ifversion fpt or ghec %}
| `invite_member` | Triggered when [a new user was invited to join your organization](/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization).
| `oauth_app_access_approved` | Triggered when an owner [grants organization access to an {% data variables.product.prodname_oauth_app %}](/organizations/managing-oauth-access-to-your-organizations-data/approving-oauth-apps-for-your-organization).

3
data/features/display-ip-org-audit-log.yml Normal file
View File

@@ -0,0 +1,3 @@
versions:
fpt: '*'
ghec: '*'

1
data/reusables/audit_log/about-ip-display.md Normal file
View File

@@ -0,0 +1 @@
Optionally, to ensure compliance and respond to threats, you can display the full IP address associated with the actor responsible for each event. Actors are typically users, but can also be apps or integrations.

1
data/reusables/audit_log/enable-ip-disclosure.md Normal file
View File

@@ -0,0 +1 @@
1. Under "Disclose actor IP addresses in audit logs", select **Enable source IP disclosure**.

1
data/reusables/audit_log/users-agree-to-ip-collection.md Normal file
View File

@@ -0,0 +1 @@
When anyone creates an account on {% data variables.location.product_location %}, the person agrees to {% data variables.product.company_short %}'s collection of basic information about connections to {% data variables.product.company_short %}'s services, including source IP address. For more information, see "[AUTOTITLE](/free-pro-team@latest/site-policy/privacy-policies/github-privacy-statement#usage-information)."