Skip to main content

Audit log events for agents

Understand the structure of audit log events for agents in your enterprise.

Who can use this feature?

Enterprise owners

You can apply the actor:Copilot filter to your enterprise audit log to view agentic activity over the last 180 days.

The following key fields can help you interpret agentic events:

FieldDescriptionExample value
actionThe action performed by the agent, such as creating a pull request.pull_request.create
actor_is_agentIndicates whether the actor is an AI agent. This will always be true for agentic audit log events.true
agent_session_idA unique identifier linking to the specific agent session that generated the event. This field only appears when the event is the result of an agent session.012345a6-b7c8-9012-de3f-45gh678i9012
userThe person who initiated the agentic event.octocat

Streaming audit log events

Note

This feature is in public preview and is available for enterprises that use Enterprise Managed Users and for enterprises that use GitHub Enterprise Cloud with data residency.

The table below shows the fields that are included in each streamed Copilot API usage record.

Each streamed record is a JSON object with the following properties:

FieldTypeDescription
typestringThe record type (request or response).
user_idintegerThe ID of the user who made the request.
enterprise_idintegerThe ID of the enterprise.
endpointstringThe Copilot API endpoint the usage record interacted with.
bodystringThe request or response body (JSON-encoded string).
@timestampintegerMilliseconds since Unix epoch.
truncatedbooleantrue when the body field has been trimmed to fit within the 1 MB document size limit. Omitted (treated as false) when the body is delivered in full.
event_idstringUnique event identifier for this streamed usage record.
github_request_idstringGitHub request identifier associated with the Copilot usage event.