What Changed
The GitHub Audit Logs Azure Storage CCF connector (v3.4.0) introduces a new GitHubAuditLogsV3_CL custom table that replaces GitHubAuditLogsV2_CL as the default ingestion target. The DCR transform is updated to project ten additional fields sourced from the GitHub API api.request object: repository, repository_id, token_scopes, request_method, query_string, request_body, status_code, url_path, route, and rate_limit_remaining.
The ConnectorDefinition.json UI and connectivity health queries are updated to reference GitHubAuditLogsV3_CL. The GitHubAuditData KQL parser (v1.1.0) is extended with a GitHubAuditLogsV3_view sub-query that union-includes the V3 table alongside the legacy V1 and V2 views, so existing detections using the GitHubAuditData function continue to work without modification.
Security Impact (Visibility and Fidelity)
The newly surfaced fields directly improve detection fidelity for API-abuse and credential-misuse scenarios:
- token_scopes enables detection of over-permissioned OAuth tokens or fine-grained PATs used in audit actions; previously absent, queries relying on scope inspection returned null.
- request_method / url_path / route provides HTTP-layer context for audit events, supporting detection of unusual API endpoint access patterns (e.g., bulk enumeration via GET /orgs/ORG/members).
- status_code allows filtering on failed API calls (4xx/5xx) without joining to external log sources; useful for brute-force or permission-probe detection.
- request_body exposes payload content for mutating API calls; relevant for detecting privilege escalation or membership manipulation through the API.
- rate_limit_remaining low or zero values can indicate automated scraping or reconnaissance activity (MITRE T1595 / T1590).
Deployments still running with GitHubAuditLogsV2_CL as the connector target will not receive these fields. New deployments or those who redeploy the connector will begin writing to GitHubAuditLogsV3_CL.
Parser Impact
GitHubAuditData (KQL workspace function) now unions three views: GitHubAuditLogPolling_view, GitHubAuditLogsV2_view, and the new GitHubAuditLogsV3_view. Field mapping within the V3 view mirrors the V2 view for the shared normalised columns (Organization, Action, Repository, Actor, Country, etc.) with no change to normalised field names visible to existing detections consuming the parser.
The additional DCR-level fields (token_scopes, request_method, etc.) are available directly on GitHubAuditLogsV3_CL but are not yet surfaced as normalised columns in the GitHubAuditData parser - queries must reference the raw table for those fields.
Affected Files
Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/ConnectorDefinition.json
Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/DCR.json
Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/PollingConfig.json
Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/table_GitHubAuditLogsV2.json
Solutions/GitHub/Data Connectors/GitHubAuditLogs_AzStorage/table_GitHubAuditLogsV3.json
Solutions/GitHub/Parsers/GitHubAuditData.yaml
(packaging artefacts: 3.4.0.zip, ReleaseNotes.md, Solution_GitHub.json, mainTemplate.json)