Merge pull request #28 from joshjohanning/add-enterprise-audit-log

Add enterprise audit log

Author: joshjohanning

gh-cli/README.md

@@ -492,7 +492,16 @@ In a 1 year block, return the date of the first non-public contribution
 
 See also: [Another example](https://github.com/orgs/community/discussions/24427#discussioncomment-3244093)
 
-## get-enterprise-id.sh
+### get-enterprise-audit-log-for-organization.sh
+
+This queries the [Enterprise audit log API](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/using-the-audit-log-api-for-your-enterprise) to specifically return if features have been enabled or disabled in an organization since a given date.
+
+Additional resources:
+
+- [Using the audit log API for your enterprise](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/using-the-audit-log-api-for-your-enterprise)
+- [Searching the audit log for your enterprise](https://docs.github.com/en/enterprise-cloud@latest/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/searching-the-audit-log-for-your-enterprise)
+- [Get the audit log for an enterprise](https://docs.github.com/en/enterprise-cloud@latest/rest/enterprise-admin/audit-log?apiVersion=2022-11-28#get-the-audit-log-for-an-enterprise)
+
 ### get-enterprise-id.sh
 
 Get the enterprise ID used for other GraphQL calls. Use the URL slug of the Enterprise as the input.

gh-cli/get-enterprise-audit-log-for-organization.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# This queries the Enterprise audit log APIs to specifically return if features have been enabled or disabled in an organization since a given date
+
+if [ -z "$2" ]; then
+  echo "Usage: $0 <enterprise> <org> <date>"
+  echo "Example: ./get-enterprise-audit-log-for-organization.sh avocado-corp joshjohanning-org 2023-09-05"
+  exit 1
+fi
+
+enterprise="$1"
+org="$2"
+date="$3"
+
+# if date is empty, default to yesterdays date
+if [ -z "$date" ]; then
+  date=$(gdate -d "yesterday" +%Y-%m-%d) # if on linux, change from gdate to date
+fi
+
+# take note of rate limits: Each audit log API endpoint has a rate limit of 1,750 queries per hour for a given combination of user and IP address
+#   - may receive errors and partial results if user does not have admin rights to all organizations / repositories
+
+gh api -X GET --paginate "/enterprises/$enterprise/audit-log" -f "phrase=org:$org+created:>=$date" -f per_page=100 | \
+  sed 's/{"message":"Must have admin rights to Repository.","documentation_url":"https:\/\/docs.github.com\/rest\/enterprise-admin\/audit-log#get-the-audit-log-for-an-enterprise"}/]/g' | \
+  jq '.[] | select(.action | test("disable[d]?|enable[d]?")) | {action, actor, org, "@timestamp"} | .["@timestamp"] /= 1000 | .["@timestamp"] |= strftime("%Y-%m-%d %H:%M:%S")'