Audit Log - Query

Queries audit log entries

GET https://auditservice.dev.azure.com/{organization}/_apis/audit/auditlog?api-version=6.0-preview.1
GET https://auditservice.dev.azure.com/{organization}/_apis/audit/auditlog?startTime={startTime}&endTime={endTime}&batchSize={batchSize}&continuationToken={continuationToken}&skipAggregation={skipAggregation}&api-version=6.0-preview.1

URI Parameters

Name In Required Type Description
organization
path
  • string

The name of the Azure DevOps organization.

api-version
query True
  • string

Version of the API to use. This should be set to '6.0-preview.1' to use this version of the api.

batchSize
query
  • integer
int32

Max number of results to return. Optional

continuationToken
query
  • string

Token used for returning next set of results from previous query. Optional

endTime
query
  • string
date-time

End time of download window. Optional

skipAggregation
query
  • boolean

Skips aggregating events and leaves them as individual entries instead. By default events are aggregated. Event types that are aggregated: AuditLog.AccessLog.

startTime
query
  • string
date-time

Start time of download window. Optional

Responses

Name Type Description
200 OK

successful operation

Security

oauth2

Type: oauth2
Flow: accessCode
Authorization URL: https://app.vssps.visualstudio.com/oauth2/authorize&response_type=Assertion
Token URL: https://app.vssps.visualstudio.com/oauth2/token?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

Scopes

Name Description
vso.auditlog Grants the ability to read the auditing log to users

Examples

By date

Sample Request

GET https://auditservice.dev.azure.com/_apis/audit/auditlog?startTime=2019-03-04T14:05:59.928Z&endTime=2019-03-05T14:05:59.928Z&batchSize=2&api-version=6.0-preview.1

Sample Response

{
  "value": {
    "decoratedAuditLogEntries": [
      {
        "id": "2518505060978539161;00000064-0000-8888-8000-000000000000;86fbe369-3f5d-4f52-9ab0-3be7db271948",
        "correlationId": "86fbe369-3f5d-4f52-9ab0-3be7db271948",
        "activityId": "033fde68-f713-4984-b24f-8d7a73d1ade6",
        "actorCUID": "a718550e-4777-4058-8298-bff88d0cb524",
        "actorUserId": "d6a98b6c-6932-485c-a986-aea9fc981df0",
        "authenticationMechanism": "FedAuth",
        "timestamp": "2019-03-05T14:05:02.1460838+00:00",
        "scopeType": "organization",
        "scopeDisplayName": "fabrikam (Organization)",
        "scopeId": "73638cd5-0dda-4128-9fd6-48c16d4e4de3",
        "ipAddress": "167.220.148.131",
        "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36",
        "actionId": "AuditLog.AccessLog",
        "data": {
          "Filter": {
            "StartTime": "2019-03-04T14:05:59.928Z",
            "EndTime": "2019-03-05T14:05:59.928Z",
            "ContinuationToken": null,
            "BatchSize": 2,
            "HasMore": true
          },
          "EventSummary": [
            "2019-03-05T14:05:02.1460838+00:00",
            "2019-03-05T13:59:40.4899467+00:00",
            "2019-03-05T13:58:13.159128+00:00"
          ]
        },
        "details": "Accessed the audit log 3 times",
        "area": "Auditing",
        "category": "access",
        "categoryDisplayName": "Access",
        "actorDisplayName": "Norman Paulk",
        "actorImageUrl": "https://dev.azure.com/fabrikam/_apis/GraphProfile/MemberAvatars/aad.NzdhMTNiN2MtYjIxNy03NDc4LWIxMjItYTlhMTU5YTFlNWQw"
      },
      {
        "id": "2518505063644965580;00000002-0000-8888-8000-000000000000;198b13cf-5201-48e8-acef-0d8bb2d9e815",
        "correlationId": "57f825b4-a940-44a3-a3cc-25cdb9871107",
        "activityId": "01abe2fd-deee-4a47-b35f-dff3edc059a4",
        "actorCUID": "00000000-0000-0000-0000-000000000000",
        "actorUserId": "00000002-0000-8888-8000-000000000000",
        "authenticationMechanism": "",
        "timestamp": "2019-03-05T14:00:35.5034419+00:00",
        "scopeType": "organization",
        "scopeDisplayName": "fabrikam (Organization)",
        "scopeId": "73638cd5-0dda-4128-9fd6-48c16d4e4de3",
        "ipAddress": null,
        "userAgent": "",
        "actionId": "Project.CreateCompleted",
        "data": {
          "ProjectId": "2e0ffea5-d693-4711-862c-94393bacadcb",
          "ProjectName": "fabrikam-fiber-git",
          "ProcessTemplate": "Agile",
          "ProjectVisibility": "Private"
        },
        "details": "fabrikam-fiber-git project was created successfully",
        "area": "Project",
        "category": "create",
        "categoryDisplayName": "Create",
        "actorDisplayName": "Azure DevOps Service",
        "actorImageUrl": null
      }
    ],
    "continuationToken": "2518505063644965580;00000002-0000-8888-8000-000000000000;198b13cf-5201-48e8-acef-0d8bb2d9e815",
    "hasMore": false
  }
}

Definitions

AuditActionCategory

Type of action executed

AuditLogQueryResult

The object returned when the audit log is queried. It contains the log and the information needed to query more audit entries.

AuditScopeType

The type of the scope (Organization is only scope currently supported)

DecoratedAuditLogEntry

AuditActionCategory

Type of action executed

Name Type Description
access
  • string

An artifact has been Accessed

create
  • string

An artifact has been Created

execute
  • string

An artifact has been Executed

modify
  • string

An artifact has been Modified

remove
  • string

An artifact has been Removed

unknown
  • string

The category is not known

AuditLogQueryResult

The object returned when the audit log is queried. It contains the log and the information needed to query more audit entries.

Name Type Description
continuationToken
  • string

The continuation token to pass to get the next set of results

decoratedAuditLogEntries

The list of audit log entries

hasMore
  • boolean

True when there are more matching results to be fetched, false otherwise.

AuditScopeType

The type of the scope (Organization is only scope currently supported)

Name Type Description
deployment
  • string

Deployment

enterprise
  • string

Enterprise

organization
  • string

Organization

project
  • string

Project

unknown
  • string

The scope is not known or has not been set

DecoratedAuditLogEntry

Name Type Description
actionId
  • string

The action id for the event, i.e Git.CreateRepo, Project.RenameProject

activityId
  • string

ActivityId

actorCUID
  • string

The Actor's CUID

actorDisplayName
  • string

DisplayName of the user who initiated the action

actorImageUrl
  • string

URL of Actor's Profile image

actorUPN
  • string

The Actor's UPN

actorUserId
  • string

The Actor's User Id

area
  • string

Area of Azure DevOps the action occurred

authenticationMechanism
  • string

Type of authentication used by the actor

category

Type of action executed

categoryDisplayName
  • string

DisplayName of the category

correlationId
  • string

This allows related audit entries to be grouped together. Generally this occurs when a single action causes a cascade of audit entries. For example, project creation.

data
  • object

External data such as CUIDs, item names, etc.

details
  • string

Decorated details

id
  • string

EventId - Needs to be unique per service

ipAddress
  • string

IP Address where the event was originated

projectId
  • string

When specified, the id of the project this event is associated to

projectName
  • string

When specified, the name of the project this event is associated to

scopeDisplayName
  • string

DisplayName of the scope

scopeId
  • string

The organization Id (Organization is the only scope currently supported)

scopeType

The type of the scope (Organization is only scope currently supported)

timestamp
  • string

The time when the event occurred in UTC

userAgent
  • string

The user agent from the request