Create auditLogQuery

Namespace: microsoft.graph.security

Important

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.

Create a new auditLogQuery object.

This API is available in the following national cloud deployments.

Global service	US Government L4	US Government L5 (DOD)	China operated by 21Vianet
✅	❌	❌	❌

Permissions

Auditing data can be accessed through Microsoft Purview Audit Search API via the following permissions, which are classified at a Microsoft 365 service level. To learn more, including how to choose permissions, see Permissions.

Microsoft 365 service	Delegated (work or school account)	Delegated (personal Microsoft account)	Application
Microsoft OneDrive	AuditLogsQuery-OneDrive.Read.All	Not supported	AuditLogsQuery-OneDrive.Read.All
Microsoft Exchange	AuditLogsQuery-Exchange.Read.All	Not supported	AuditLogsQuery-Exchange.Read.All
Microsoft SharePoint	AuditLogsQuery-SharePoint.Read.All	Not supported	AuditLogsQuery-SharePoint.Read.All
Microsoft Intune	AuditLogsQuery-Endpoint.Read.All	Not supported	AuditLogsQuery-Endpoint.Read.All
Microsoft Dynamics CRM	AuditLogsQuery-CRM.Read.All	Not supported	AuditLogsQuery-CRM.Read.All
Microsoft Entra	AuditLogsQuery-Entra.Read.All	Not supported	AuditLogsQuery-Entra.Read.All
All Audit Logs	AuditLogsQuery.Read.All	Not supported	AuditLogsQuery.Read.All

HTTP request

POST /security/auditLog/queries

Request headers

Name	Description
Authorization	Bearer {token}. Required.
Content-Type	application/json. Required.

Request body

In the request body, supply a JSON representation of the auditLogQuery object.

You can specify the following properties when creating a auditLogQuery.

Property	Type	Description
displayName	String	Display name for the saved audit log query. Optional.
filterStartDateTime	DateTimeOffset	Start date of the date range in the query. Optional.
filterEndDateTime	DateTimeOffset	End date of the date range in the query. Optional.
recordTypeFilters	Collection(string) of microsoft.graph.security.auditLogRecordType	The operation type or types indicated by the record. The possible values are: exchangeAdmin, exchangeItem, exchangeItemGroup, sharePoint, syntheticProbe, sharePointFileOperation, oneDrive, azureActiveDirectory, azureActiveDirectoryAccountLogon, dataCenterSecurityCmdlet, complianceDLPSharePoint, sway, complianceDLPExchange, sharePointSharingOperation, azureActiveDirectoryStsLogon, skypeForBusinessPSTNUsage, skypeForBusinessUsersBlocked, securityComplianceCenterEOPCmdlet, exchangeAggregatedOperation, powerBIAudit, crm, yammer, skypeForBusinessCmdlets, discovery, microsoftTeams, threatIntelligence, mailSubmission, microsoftFlow, aeD, microsoftStream, complianceDLPSharePointClassification, threatFinder, project, sharePointListOperation, sharePointCommentOperation, dataGovernance, kaizala, securityComplianceAlerts, threatIntelligenceUrl, securityComplianceInsights, mipLabel, workplaceAnalytics, powerAppsApp, powerAppsPlan, threatIntelligenceAtpContent, labelContentExplorer, teamsHealthcare, exchangeItemAggregated, hygieneEvent, dataInsightsRestApiAudit, informationBarrierPolicyApplication, sharePointListItemOperation, sharePointContentTypeOperation, sharePointFieldOperation, microsoftTeamsAdmin, hrSignal, microsoftTeamsDevice, microsoftTeamsAnalytics, informationWorkerProtection, campaign, dlpEndpoint, airInvestigation, quarantine, microsoftForms, applicationAudit, complianceSupervisionExchange, customerKeyServiceEncryption, officeNative, mipAutoLabelSharePointItem, mipAutoLabelSharePointPolicyLocation, microsoftTeamsShifts, secureScore, mipAutoLabelExchangeItem, cortanaBriefing, search, wdatpAlerts, powerPlatformAdminDlp, powerPlatformAdminEnvironment, mdatpAudit, sensitivityLabelPolicyMatch, sensitivityLabelAction, sensitivityLabeledFileAction, attackSim, airManualInvestigation, securityComplianceRBAC, userTraining, airAdminActionInvestigation, mstic, physicalBadgingSignal, teamsEasyApprovals, aipDiscover, aipSensitivityLabelAction, aipProtectionAction, aipFileDeleted, aipHeartBeat, mcasAlerts, onPremisesFileShareScannerDlp, onPremisesSharePointScannerDlp, exchangeSearch, sharePointSearch, privacyDataMinimization, labelAnalyticsAggregate, myAnalyticsSettings, securityComplianceUserChange, complianceDLPExchangeClassification, complianceDLPEndpoint, mipExactDataMatch, msdeResponseActions, msdeGeneralSettings, msdeIndicatorsSettings, ms365DCustomDetection, msdeRolesSettings, mapgAlerts, mapgPolicy, mapgRemediation, privacyRemediationAction, privacyDigestEmail, mipAutoLabelSimulationProgress, mipAutoLabelSimulationCompletion, mipAutoLabelProgressFeedback, dlpSensitiveInformationType, mipAutoLabelSimulationStatistics, largeContentMetadata, microsoft365Group, cdpMlInferencingResult, filteringMailMetadata, cdpClassificationMailItem, cdpClassificationDocument, officeScriptsRunAction, filteringPostMailDeliveryAction, cdpUnifiedFeedback, tenantAllowBlockList, consumptionResource, healthcareSignal, dlpImportResult, cdpCompliancePolicyExecution, multiStageDisposition, privacyDataMatch, filteringDocMetadata, filteringEmailFeatures, powerBIDlp, filteringUrlInfo, filteringAttachmentInfo, coreReportingSettings, complianceConnector, powerPlatformLockboxResourceAccessRequest, powerPlatformLockboxResourceCommand, cdpPredictiveCodingLabel, cdpCompliancePolicyUserFeedback, webpageActivityEndpoint, omePortal, cmImprovementActionChange, filteringUrlClick, mipLabelAnalyticsAuditRecord, filteringEntityEvent, filteringRuleHits, filteringMailSubmission, labelExplorer, microsoftManagedServicePlatform, powerPlatformServiceActivity, scorePlatformGenericAuditRecord, filteringTimeTravelDocMetadata, alert, alertStatus, alertIncident, incidentStatus, case, caseInvestigation, recordsManagement, privacyRemediation, dataShareOperation, cdpDlpSensitive, ehrConnector, filteringMailGradingResult, publicFolder, privacyTenantAuditHistoryRecord, aipScannerDiscoverEvent, eduDataLakeDownloadOperation, m365ComplianceConnector, microsoftGraphDataConnectOperation, microsoftPurview, filteringEmailContentFeatures, powerPagesSite, powerAppsResource, plannerPlan, plannerCopyPlan, plannerTask, plannerRoster, plannerPlanList, plannerTaskList, plannerTenantSettings, projectForTheWebProject, projectForTheWebTask, projectForTheWebRoadmap, projectForTheWebRoadmapItem, projectForTheWebProjectSettings, projectForTheWebRoadmapSettings, quarantineMetadata, microsoftTodoAudit, timeTravelFilteringDocMetadata, teamsQuarantineMetadata, sharePointAppPermissionOperation, microsoftTeamsSensitivityLabelAction, filteringTeamsMetadata, filteringTeamsUrlInfo, filteringTeamsPostDeliveryAction, mdcAssessments, mdcRegulatoryComplianceStandards, mdcRegulatoryComplianceControls, mdcRegulatoryComplianceAssessments, mdcSecurityConnectors, mdaDataSecuritySignal, vivaGoals, filteringRuntimeInfo, attackSimAdmin, microsoftGraphDataConnectConsent, filteringAtpDetonationInfo, privacyPortal, managedTenants, unifiedSimulationMatchedItem, unifiedSimulationSummary, updateQuarantineMetadata, ms365DSuppressionRule, purviewDataMapOperation, filteringUrlPostClickAction, irmUserDefinedDetectionSignal, teamsUpdates, plannerRosterSensitivityLabel, ms365DIncident, filteringDelistingMetadata, complianceDLPSharePointClassificationExtended, microsoftDefenderForIdentityAudit, supervisoryReviewDayXInsight, defenderExpertsforXDRAdmin, cdpEdgeBlockedMessage, hostedRpa, cdpContentExplorerAggregateRecord, cdpHygieneAttachmentInfo, cdpHygieneSummary, cdpPostMailDeliveryAction, cdpEmailFeatures, cdpHygieneUrlInfo, cdpUrlClick, cdpPackageManagerHygieneEvent, filteringDocScan, timeTravelFilteringDocScan, mapgOnboard, unknownFutureValue. Optional.
keywordFilter	String	Free text field to search non-indexed properties of the audit log. Optional.
serviceFilter	String	The Office 365 service where the activity occurred. Optional.
operationFilters	String collection	The name of the user or admin activity. For a description of the most common operations/activities, see Search the audit log in the Office 365 Protection Center. Optional.
userPrincipalNameFilters	String collection	The UPN (user principal name) of the user who performed the action (specified in the operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Optional.
ipAddressFilters	String collection	The IP address of the device that was used when the activity was logged. Optional.
objectIdFilters	String collection	For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet. Optional.
administrativeUnitIdFilters	String collection	Administrative units tagged to an audit log record. Optional.
status	microsoft.graph.security.auditLogQueryStatus	Current status of the query. The possible values are: notStarted, running, succeeded, failed, cancelled, unknownFutureValue. Optional.

Response

If successful, this method returns a 201 Created response code and a auditLogQuery object in the response body.

Examples

Request

The following example shows a request.

HTTP

POST https://graph.microsoft.com/beta/security/auditLog/queries
Content-Type: application/json

{
  "@odata.type": "#microsoft.graph.security.auditLogQuery",
  "displayName": "String",
  "filterStartDateTime": "String (timestamp)",
  "filterEndDateTime": "String (timestamp)",
  "recordTypeFilters": [
    "String"
  ],
  "keywordFilter": "String",
  "serviceFilter": "String",
  "operationFilters": [
    "String"
  ],
  "userPrincipalNameFilters": [
    "String"
  ],
  "ipAddressFilters": [
    "String"
  ],
  "objectIdFilters": [
    "String"
  ],
  "administrativeUnitIdFilters": [
    "String"
  ],
  "status": "String"
}

C#

// Code snippets are only available for the latest version. Current version is 5.x

// Dependencies
using Microsoft.Graph.Beta.Models.Security;

var requestBody = new AuditLogQuery
{
	OdataType = "#microsoft.graph.security.auditLogQuery",
	DisplayName = "String",
	FilterStartDateTime = DateTimeOffset.Parse("String (timestamp)"),
	FilterEndDateTime = DateTimeOffset.Parse("String (timestamp)"),
	RecordTypeFilters = new List<AuditLogRecordType?>
	{
		AuditLogRecordType.ExchangeAdmin,
	},
	KeywordFilter = "String",
	OperationFilters = new List<string>
	{
		"String",
	},
	UserPrincipalNameFilters = new List<string>
	{
		"String",
	},
	IpAddressFilters = new List<string>
	{
		"String",
	},
	ObjectIdFilters = new List<string>
	{
		"String",
	},
	AdministrativeUnitIdFilters = new List<string>
	{
		"String",
	},
	Status = AuditLogQueryStatus.NotStarted,
	AdditionalData = new Dictionary<string, object>
	{
		{
			"serviceFilter" , "String"
		},
	},
};

// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Security.AuditLog.Queries.PostAsync(requestBody);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

CLI

// THE CLI IS IN PREVIEW. NON-PRODUCTION USE ONLY
mgc-beta security audit-log queries create --body '{\
  "@odata.type": "#microsoft.graph.security.auditLogQuery",\
  "displayName": "String",\
  "filterStartDateTime": "String (timestamp)",\
  "filterEndDateTime": "String (timestamp)",\
  "recordTypeFilters": [\
    "String"\
  ],\
  "keywordFilter": "String",\
  "serviceFilter": "String",\
  "operationFilters": [\
    "String"\
  ],\
  "userPrincipalNameFilters": [\
    "String"\
  ],\
  "ipAddressFilters": [\
    "String"\
  ],\
  "objectIdFilters": [\
    "String"\
  ],\
  "administrativeUnitIdFilters": [\
    "String"\
  ],\
  "status": "String"\
}\
'

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Go

import (
	  "context"
	  "time"
	  msgraphsdk "github.com/microsoftgraph/msgraph-beta-sdk-go"
	  graphmodelssecurity "github.com/microsoftgraph/msgraph-beta-sdk-go/models/security"
	  //other-imports
)

graphClient := msgraphsdk.NewGraphServiceClientWithCredentials(cred, scopes)


requestBody := graphmodelssecurity.NewAuditLogQuery()
displayName := "String"
requestBody.SetDisplayName(&displayName) 
filterStartDateTime , err := time.Parse(time.RFC3339, "String (timestamp)")
requestBody.SetFilterStartDateTime(&filterStartDateTime) 
filterEndDateTime , err := time.Parse(time.RFC3339, "String (timestamp)")
requestBody.SetFilterEndDateTime(&filterEndDateTime) 
recordTypeFilters := []graphmodelssecurity.AuditLogRecordTypeable {
	auditLogRecordType := graphmodels.STRING_AUDITLOGRECORDTYPE 
	requestBody.SetAuditLogRecordType(&auditLogRecordType)
}
requestBody.SetRecordTypeFilters(recordTypeFilters)
keywordFilter := "String"
requestBody.SetKeywordFilter(&keywordFilter) 
operationFilters := []string {
	"String",
}
requestBody.SetOperationFilters(operationFilters)
userPrincipalNameFilters := []string {
	"String",
}
requestBody.SetUserPrincipalNameFilters(userPrincipalNameFilters)
ipAddressFilters := []string {
	"String",
}
requestBody.SetIpAddressFilters(ipAddressFilters)
objectIdFilters := []string {
	"String",
}
requestBody.SetObjectIdFilters(objectIdFilters)
administrativeUnitIdFilters := []string {
	"String",
}
requestBody.SetAdministrativeUnitIdFilters(administrativeUnitIdFilters)
status := graphmodels.STRING_AUDITLOGQUERYSTATUS 
requestBody.SetStatus(&status) 
additionalData := map[string]interface{}{
	"serviceFilter" : "String", 
}
requestBody.SetAdditionalData(additionalData)

queries, err := graphClient.Security().AuditLog().Queries().Post(context.Background(), requestBody, nil)

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Java

// Code snippets are only available for the latest version. Current version is 6.x

GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);

com.microsoft.graph.beta.models.security.AuditLogQuery auditLogQuery = new com.microsoft.graph.beta.models.security.AuditLogQuery();
auditLogQuery.setOdataType("#microsoft.graph.security.auditLogQuery");
auditLogQuery.setDisplayName("String");
OffsetDateTime filterStartDateTime = OffsetDateTime.parse("String (timestamp)");
auditLogQuery.setFilterStartDateTime(filterStartDateTime);
OffsetDateTime filterEndDateTime = OffsetDateTime.parse("String (timestamp)");
auditLogQuery.setFilterEndDateTime(filterEndDateTime);
LinkedList<com.microsoft.graph.beta.models.security.com.microsoft.graph.beta.models.security.AuditLogRecordType> recordTypeFilters = new LinkedList<com.microsoft.graph.beta.models.security.com.microsoft.graph.beta.models.security.AuditLogRecordType>();
recordTypeFilters.add(com.microsoft.graph.beta.models.security.AuditLogRecordType.ExchangeAdmin);
auditLogQuery.setRecordTypeFilters(recordTypeFilters);
auditLogQuery.setKeywordFilter("String");
LinkedList<String> operationFilters = new LinkedList<String>();
operationFilters.add("String");
auditLogQuery.setOperationFilters(operationFilters);
LinkedList<String> userPrincipalNameFilters = new LinkedList<String>();
userPrincipalNameFilters.add("String");
auditLogQuery.setUserPrincipalNameFilters(userPrincipalNameFilters);
LinkedList<String> ipAddressFilters = new LinkedList<String>();
ipAddressFilters.add("String");
auditLogQuery.setIpAddressFilters(ipAddressFilters);
LinkedList<String> objectIdFilters = new LinkedList<String>();
objectIdFilters.add("String");
auditLogQuery.setObjectIdFilters(objectIdFilters);
LinkedList<String> administrativeUnitIdFilters = new LinkedList<String>();
administrativeUnitIdFilters.add("String");
auditLogQuery.setAdministrativeUnitIdFilters(administrativeUnitIdFilters);
auditLogQuery.setStatus(com.microsoft.graph.beta.models.security.AuditLogQueryStatus.NotStarted);
HashMap<String, Object> additionalData = new HashMap<String, Object>();
additionalData.put("serviceFilter", "String");
auditLogQuery.setAdditionalData(additionalData);
com.microsoft.graph.models.security.AuditLogQuery result = graphClient.security().auditLog().queries().post(auditLogQuery);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

JavaScript

const options = {
	authProvider,
};

const client = Client.init(options);

const auditLogQuery = {
  '@odata.type': '#microsoft.graph.security.auditLogQuery',
  displayName: 'String',
  filterStartDateTime: 'String (timestamp)',
  filterEndDateTime: 'String (timestamp)',
  recordTypeFilters: [
    'String'
  ],
  keywordFilter: 'String',
  serviceFilter: 'String',
  operationFilters: [
    'String'
  ],
  userPrincipalNameFilters: [
    'String'
  ],
  ipAddressFilters: [
    'String'
  ],
  objectIdFilters: [
    'String'
  ],
  administrativeUnitIdFilters: [
    'String'
  ],
  status: 'String'
};

await client.api('/security/auditLog/queries')
	.version('beta')
	.post(auditLogQuery);

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

PHP

<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AuditLogQuery;
use Microsoft\Graph\Generated\Models\AuditLogRecordType;


$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);

$requestBody = new AuditLogQuery();
$requestBody->setOdataType('#microsoft.graph.security.auditLogQuery');
$requestBody->setDisplayName('String');
$requestBody->setFilterStartDateTime(new \DateTime('String (timestamp)'));
$requestBody->setFilterEndDateTime(new \DateTime('String (timestamp)'));
$requestBody->setRecordTypeFilters([new AuditLogRecordType('string'),	]);
$requestBody->setKeywordFilter('String');
$requestBody->setOperationFilters(['String', 	]);
$requestBody->setUserPrincipalNameFilters(['String', 	]);
$requestBody->setIpAddressFilters(['String', 	]);
$requestBody->setObjectIdFilters(['String', 	]);
$requestBody->setAdministrativeUnitIdFilters(['String', 	]);
$requestBody->setStatus(new AuditLogQueryStatus('string'));
$additionalData = [
	'serviceFilter' => 'String',
];
$requestBody->setAdditionalData($additionalData);

$result = $graphServiceClient->security()->auditLog()->queries()->post($requestBody)->wait();

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

PowerShell

Import-Module Microsoft.Graph.Beta.Security

$params = @{
	"@odata.type" = "#microsoft.graph.security.auditLogQuery"
	displayName = "String"
	filterStartDateTime = [System.DateTime]::Parse("String (timestamp)")
	filterEndDateTime = [System.DateTime]::Parse("String (timestamp)")
	recordTypeFilters = @(
	"String"
)
keywordFilter = "String"
serviceFilter = "String"
operationFilters = @(
"String"
)
userPrincipalNameFilters = @(
"String"
)
ipAddressFilters = @(
"String"
)
objectIdFilters = @(
"String"
)
administrativeUnitIdFilters = @(
"String"
)
status = "String"
}

New-MgBetaSecurityAuditLogQuery -BodyParameter $params

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Python

from msgraph import GraphServiceClient
from msgraph.generated.models.audit_log_query import AuditLogQuery
from msgraph.generated.models.audit_log_record_type import AuditLogRecordType

graph_client = GraphServiceClient(credentials, scopes)

request_body = AuditLogQuery(
	odata_type = "#microsoft.graph.security.auditLogQuery",
	display_name = "String",
	filter_start_date_time = "String (timestamp)",
	filter_end_date_time = "String (timestamp)",
	record_type_filters = [
		AuditLogRecordType.ExchangeAdmin,
	],
	keyword_filter = "String",
	operation_filters = [
		"String",
	],
	user_principal_name_filters = [
		"String",
	],
	ip_address_filters = [
		"String",
	],
	object_id_filters = [
		"String",
	],
	administrative_unit_id_filters = [
		"String",
	],
	status = AuditLogQueryStatus.NotStarted,
	additional_data = {
			"service_filter" : "String",
	}
)

result = await graph_client.security.audit_log.queries.post(request_body)

Important

Microsoft Graph SDKs use the v1.0 version of the API by default, and do not support all the types, properties, and APIs available in the beta version. For details about accessing the beta API with the SDK, see Use the Microsoft Graph SDKs with the beta API.

For details about how to add the SDK to your project and create an authProvider instance, see the SDK documentation.

Response

The following example shows the response.

Note: The response object shown here might be shortened for readability.

HTTP/1.1 201 Created
Content-Type: application/json

{
  "@odata.type": "#microsoft.graph.security.auditLogQuery",
  "id": "168ec429-084b-a489-90d8-504a87846305",
  "displayName": "String",
  "filterStartDateTime": "String (timestamp)",
  "filterEndDateTime": "String (timestamp)",
  "recordTypeFilters": [
    "String"
  ],
  "keywordFilter": "String",
  "serviceFilter": "String",
  "operationFilters": [
    "String"
  ],
  "userPrincipalNameFilters": [
    "String"
  ],
  "ipAddressFilters": [
    "String"
  ],
  "objectIdFilters": [
    "String"
  ],
  "administrativeUnitIdFilters": [
    "String"
  ],
  "status": "String"
}