Activities API
Note
Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender, which correlates signals from across the Microsoft Defender suite and provides incident-level detection, investigation, and powerful response capabilities. For more information, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.
The Activity API gives you visibility into all actions performed in your cloud apps. The data from this API can supply information regarding who logs in to which app and when, which files are being downloaded from suspicious locations, and so on.
The following lists the supported requests:
Filters
For information about how filters work, see Filters.
The following table describes the supported filters:
| Filter | Type | Operators | Description |
|---|---|---|---|
| service | integer | eq, neq | Filter activities related to the specified service appID, for example: 11770 |
| instance | integer | eq, neq | Filter activities from specified instances |
| user.orgUnit | string | eq, neq, isset, isnotset | Filter activities by the organization unit of the performing user |
| actionType | string | Contains, eq, neq, isset, isnotset | Filter activities by more specific action type |
| activity.eventActionType | string | eq, neq | Filter activities by event type |
| activity.id | string | eq | Find an activity by ID |
| activity.impersonated | boolean | eq | If set to true, returns only impersonated events, if set to false, returns nonimpersonated events |
| actionType | string | Contains, eq, neq, isset, isnotset | Filter activities by more specific action type |
| activity.type | boolean | eq | If set to true, returns only admin events, if set to false, returns regular events |
| activity.takenAction | string | eq, neq | Filter activities by the actions taken on them. Possible values include: block: Blocked proxy: Redirected to session control BypassProxy: Bypass session control encrypt: Encrypted decrypt: Decrypted verified: Verified encryptionFailed: Encryption failed protect: Protected verify: Require step-up authentication null: No action |
| device.type | string | eq, neq | Filter activities by device type. Possible values include: DESKTOP: PC MOBILE: Mobile TABLET: Tablet OTHER: Other null: No value |
| device.tags | string | eq, neq | Filter activities by device tag IDs |
| userAgent.userAgent | string | contains, ncontains | Filter activities that do or don't contain the given strings in the user agent |
| userAgent.tags | string | eq, neq | Filter activities containing the specified user agent tag IDs |
| location.country | string | eq, neq, isset, isnotset | Filter activities originating from the specified country/region code |
| location.organizations | string | eq, neq, isset, isnotset, contains | Filter activities originating from the specified organization |
| ip.address | string | eq, startswith, doesnotstartwith, isset, isnotset, neq | Filter activities originating from the given IP address |
| fileSelector | file | eq, neq | Filter activities containing the specified file/folder |
| office365url | string | startswith, eq, endswith | Filter activities by Microsoft 365 URLs |
| fileId | string | eq | Find a file by ID |
| ip.category | integer | eq, neq | Filter activities with the specified subnet categories. Possible values include: 1: Corporate 2: Administrative 3: Risky 4: VPN 5: Cloud provider 6: Other |
| ip.tags | string | eq, neq | Filter activities by IP tag IDs |
| text | string | eq, startswithsingle, text | Filter activities by performing a free text search |
| date | timestamp | lte, gte, range, lte_ndays, gte_ndays | Filter activities that occurred in the specified time range |
| policy | string | eq, neq, isset, isnotset | Filter activities related to the specified policies |
| source | string | eq, neq | Filter all activities by source type or stream ID. Example: [{ "s:stream-id", "t:source-type" }] Possible source type values include:0: Access control 1: Session control 2: App connector 3: App connector analysis 5: Discovery 6: MDATP |
| activity.alertId | string | eq | Filter all activities relevant to an alert ID |
| activityObject | string | eq, neq | Filter activities containing the specified ID |
| fileLabels | string | eq, neq | Filter files containing the specified file labels (tags) IDs |
| created | lte, gte, range, gt, lt, eq | Filter activities that were created in the specified time range | |
| entity | entity pk | eq, neq, isset, isnotset, startswith | Filter activities by the entity who performed the activity. Example: [{ "id": "entity-id", "inst": 0 }] |
| user.username | string | eq, neq, isset, isnotset, startswith | Filter activities by the user who performed the activity |
| user.tags | string | eq, neq, isset, isnotset, startswith | Filter activities by tags belonging to the performing user. Requires group IDs |
| user.domain | string | eq, neq, isset, isnotset | Filter activities by the performing user domain |
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.
Feedback
Submit and view feedback for