Skip to content

[github] audit: prefer @timestamp over created_at in agent cursor logic #16097

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 27, 2025
Merged

[github] audit: prefer @timestamp over created_at in agent cursor logic #16097

merged 4 commits into from
Nov 27, 2025

Conversation

@chrisberkhout
Copy link
Contributor

@chrisberkhout chrisberkhout commented Nov 24, 2025
edited
Loading

Proposed commit message

[github] audit: prefer @timestamp over created_at in agent cursor logic

Although the query parameter is `created`, listings are ordered by
`@timestamp`. The `created_at` field often has older times, and it's
absent from some even types, such as git events[1].

We keep `created_at` as a fallback, because some events don't have
`@timestamp` according to the documentation[2] (although that hasn't
been verified in the live API).

[1]: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#git
[2]: https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/audit-log-events-for-your-enterprise#code_scanning

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

@chrisberkhout chrisberkhout self-assigned this Nov 24, 2025
@chrisberkhout chrisberkhout requested a review from a team as a code owner November 24, 2025 15:38
@chrisberkhout chrisberkhout added Integration:github GitHub bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] labels Nov 24, 2025
@elasticmachine
Copy link

elasticmachine commented Nov 24, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Nov 24, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

efd6
efd6 reviewed Nov 24, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggest title change to [github] audit: prefer @timestamp over created_at in agent cursor logic.

packages/github/changelog.yml Outdated
# newer versions go on top
- version: "2.17.3"
changes:
- description: Fix HTTPJSON pagination logic for audit data stream.
Copy link
Contributor

@efd6 efd6 Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be "cursor logic"?

Copy link
Contributor Author

@chrisberkhout chrisberkhout Nov 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You use a cursor to request a page, so I think either is okay but I updated to

Fix HTTPJSON cursor logic for audit data stream.

Took the suggested PR/commit description.

@chrisberkhout chrisberkhout changed the title [github] audit: prefer @timestamp over created_at [github] audit: prefer @timestamp over created_at in agent cursor logic Nov 26, 2025
@chrisberkhout chrisberkhout requested a review from efd6 November 26, 2025 08:57
@elasticmachine
Copy link

elasticmachine commented Nov 26, 2025

💚 Build Succeeded

History

cc @chrisberkhout

@chrisberkhout chrisberkhout merged commit b7acdc2 into elastic:main Nov 27, 2025
7 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Nov 27, 2025

Package github - 2.17.3 containing this change is available at https://epr.elastic.co/package/github/2.17.3/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@chrisberkhout chrisberkhout

Labels

bugfix Pull request that fixes a bug issue Integration:github GitHub Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chrisberkhout @elasticmachine @efd6