AzureDevOpsAuditing
Schema for Azure DevOps audit logs, which can be used to track the many changes that occur within your Azure DevOps organization(s). Some examples include changes to security policies, pipelines, billing, and projects. For a full list of events, see aka.ms/azdev-audit-events.
Table attributes
| Attribute | Value |
|---|---|
| Resource types | - |
| Categories | - |
| Solutions | LogManagement |
| Basic log | No |
| Ingestion-time transformation | Yes |
| Sample Queries | - |
Columns
| Column | Type | Description |
|---|---|---|
| ActivityId | string | Unique identifier for the action that occurred. |
| ActorClientId | string | When the action was performed by a managed identity or other service principal, this value represents the client ID of that principal. Otherwise, this value is 00000000-0000-0000-0000-000000000000. When this field is populated, ActorCUID and ActorUserId will both be 00000000-0000-0000-0000-000000000000. |
| ActorCUID | string | When the action was performed by a user, this value represents a consistently unique identifier for that actor. Otherwise, this value is 00000000-0000-0000-0000-000000000000. When this field, along with ActorUserId, is populated, ActorClientId will be 00000000-0000-0000-0000-000000000000. |
| ActorDisplayName | string | Display name of the user who initiated the auditing event to be logged. |
| ActorUPN | string | The actor's user principal name. |
| ActorUserId | string | When the action was performed by a user or Azure DevOps service, this value represents that actor's user identifier. Otherwise, this value is 00000000-0000-0000-0000-000000000000. When this field, along with ActorUserId, is populated, ActorClientId will be 00000000-0000-0000-0000-000000000000. |
| Area | string | Part of the Azure DevOps product where the auditing event occurred. |
| AuthenticationMechanism | string | Type of authentication used by the actor. |
| _BilledSize | real | The record size in bytes |
| Category | string | Type of action that occurred when the auditing event was logged. |
| CategoryDisplayName | string | Type of action that occurred when the auditing event was logged. |
| CorrelationId | string | CorrelationId allows two or more auditing events to be grouped together. This happens when a single action causes a cascade of auditing entries. An example being project creation. |
| Data | dynamic | Additional data that's unique to the type of auditing event. |
| Details | string | Description of what happened. |
| Id | string | The identifier for the audit event, unique across services. |
| IpAddress | string | IP address where the event originated. |
| _IsBillable | string | Specifies whether ingesting the data is billable. When _IsBillable is false ingestion isn't billed to your Azure account |
| OperationName | string | The unique identifier for the type of auditing event that occurred. For example, Git.CreateRepo identifies the an auditing event for Git repository creation. |
| ProjectId | string | Unique identifier of the project that an auditing event occurred in. If not provided then the event isn't scoped to a particular project. |
| ProjectName | string | Friendly name of the project that an auditing event occurred in. If not provided then the event isn't scoped to a particular project. |
| ScopeDisplayName | string | User friendly name for the scope level that an auditing event occurred at. |
| ScopeId | string | The organization identifier. |
| ScopeType | string | The level (scope) that the event occurred. |
| SourceSystem | string | The type of agent the event was collected by. For example, OpsManager for Windows agent, either direct connect or Operations Manager, Linux for all Linux agents, or Azure for Azure Diagnostics |
| TenantId | string | The Log Analytics workspace ID |
| TimeGenerated | datetime | The time the auditing event occurred in UTC. |
| Type | string | The name of the table |
| UserAgent | string | The user agent from the request. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for