Adding note about API events that are audit log streamed (#57295)

sn2b · hubwriter · web-flow · commit 2165c2292741 · 2025-08-29T14:21:22.000Z
Co-authored-by: hubwriter &lt;hubwriter@github.com&gt;
diff --git a/content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise.md b/content/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise.md
@@ -316,6 +316,8 @@ To restart streaming, click **Resume stream**.
 
 ## Enabling audit log streaming of API requests
 
+>[!NOTE] Not all API requests are included in the audit log stream after this feature is enabled. The streaming of API requests is limited to security relevant endpoints.
+
 {% data reusables.enterprise-accounts.access-enterprise %}
 {% data reusables.enterprise-accounts.settings-tab %}
 {% data reusables.enterprise-accounts.audit-log-tab %}
diff --git a/src/audit-logs/data/ghec/enterprise.json b/src/audit-logs/data/ghec/enterprise.json
@@ -160,7 +160,7 @@
   },
   {
     "action": "api.request",
-    "description": "An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
+    "description": "An API request was made to a security relevant endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
     "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests",
     "fields": [
       "user_agent",
@@ -20170,4 +20170,4 @@
       "request_access_security_header"
     ]
   }
-]
+]
diff --git a/src/audit-logs/data/ghes-3.14/enterprise.json b/src/audit-logs/data/ghes-3.14/enterprise.json
@@ -126,7 +126,7 @@
   },
   {
     "action": "api.request",
-    "description": "An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
+    "description": "An API request was made to a security relevant endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
     "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests",
     "fields": [
       "user_agent",
@@ -16247,4 +16247,4 @@
       "request_access_security_header"
     ]
   }
-]
+]
diff --git a/src/audit-logs/data/ghes-3.15/enterprise.json b/src/audit-logs/data/ghes-3.15/enterprise.json
@@ -126,7 +126,7 @@
   },
   {
     "action": "api.request",
-    "description": "An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
+    "description": "An API request was made to a security relevant endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
     "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests",
     "fields": [
       "user_agent",
@@ -16446,4 +16446,4 @@
       "request_access_security_header"
     ]
   }
-]
+]
diff --git a/src/audit-logs/data/ghes-3.16/enterprise.json b/src/audit-logs/data/ghes-3.16/enterprise.json
@@ -126,7 +126,7 @@
   },
   {
     "action": "api.request",
-    "description": "An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
+    "description": "An API request was made to a security relevant endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
     "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests",
     "fields": [
       "user_agent",
@@ -17160,4 +17160,4 @@
       "request_access_security_header"
     ]
   }
-]
+]
diff --git a/src/audit-logs/data/ghes-3.17/enterprise.json b/src/audit-logs/data/ghes-3.17/enterprise.json
@@ -126,7 +126,7 @@
   },
   {
     "action": "api.request",
-    "description": "An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
+    "description": "An API request was made to a security relevant endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
     "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests",
     "fields": [
       "user_agent",
@@ -17607,4 +17607,4 @@
       "request_access_security_header"
     ]
   }
-]
+]
diff --git a/src/audit-logs/data/ghes-3.18/enterprise.json b/src/audit-logs/data/ghes-3.18/enterprise.json
@@ -126,7 +126,7 @@
   },
   {
     "action": "api.request",
-    "description": "An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
+    "description": "An API request was made to a security relevant endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
     "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests",
     "fields": [
       "user_agent",
@@ -17710,4 +17710,4 @@
       "request_access_security_header"
     ]
   }
-]
+]

Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,7 @@`
`160`	`160`	`},`
`161`	`161`	`{`
`162`	`162`	`"action": "api.request",`
`163`		`- "description": "An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",`
	`163`	`+ "description": "An API request was made to a security relevant endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",`
`164`	`164`	`"docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests",`
`165`	`165`	`"fields": [`
`166`	`166`	`"user_agent",`
`@@ -20170,4 +20170,4 @@`
`20170`	`20170`	`"request_access_security_header"`
`20171`	`20171`	`]`
`20172`	`20172`	`}`
`20173`		`-]`
	`20173`	`+]`
Original file line number	Diff line number	Diff line change
`@@ -126,7 +126,7 @@`
`126`	`126`	`},`
`127`	`127`	`{`
`128`	`128`	`"action": "api.request",`
`129`		`- "description": "An API request was made to an endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",`
	`129`	`+ "description": "An API request was made to a security relevant endpoint for the enterprise, or an enterprise owned resource. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",`
`130`	`130`	`"docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests",`
`131`	`131`	`"fields": [`
`132`	`132`	`"user_agent",`
`@@ -16247,4 +16247,4 @@`
`16247`	`16247`	`"request_access_security_header"`
`16248`	`16248`	`]`
`16249`	`16249`	`}`
`16250`		`-]`
	`16250`	`+]`