Audit Log - Query

Reference

Service:: Audit

API Version:: 7.1-preview.1

Queries audit log entries

GET https://auditservice.dev.azure.com/{organization}/_apis/audit/auditlog?api-version=7.1-preview.1

With optional parameters:

GET https://auditservice.dev.azure.com/{organization}/_apis/audit/auditlog?startTime={startTime}&endTime={endTime}&batchSize={batchSize}&continuationToken={continuationToken}&skipAggregation={skipAggregation}&api-version=7.1-preview.1

URI Parameters

Name	In	Required	Type	Description
organization	path		string	The name of the Azure DevOps organization.
api-version	query	True	string	Version of the API to use. This should be set to '7.1-preview.1' to use this version of the api.
batchSize	query		integer int32	Max number of results to return. Optional
continuationToken	query		string	Token used for returning next set of results from previous query. Optional
endTime	query		string date-time	End time of download window. Optional
skipAggregation	query		boolean	Skips aggregating events and leaves them as individual entries instead. By default events are aggregated. Event types that are aggregated: AuditLog.AccessLog.
startTime	query		string date-time	Start time of download window. Optional

Responses

Name	Type	Description
200 OK	AuditLogQueryResult	successful operation

Security

oauth2

Type: oauth2
Flow: accessCode
Authorization URL: https://app.vssps.visualstudio.com/oauth2/authorize&response_type=Assertion
Token URL: https://app.vssps.visualstudio.com/oauth2/token?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

Scopes

Name	Description
vso.auditlog	Grants the ability to read the auditing log and audit streams to users

Examples

By date

Sample request

HTTP

GET https://auditservice.dev.azure.com/_apis/audit/auditlog?startTime=2019-03-04T14:05:59.928Z&endTime=2019-03-05T14:05:59.928Z&batchSize=2&api-version=7.1-preview.1

Sample response

Status code:: 200

{
  "value": {
    "decoratedAuditLogEntries": [
      {
        "id": "2518505060978539161;00000064-0000-8888-8000-000000000000;86fbe369-3f5d-4f52-9ab0-3be7db271948",
        "correlationId": "86fbe369-3f5d-4f52-9ab0-3be7db271948",
        "activityId": "033fde68-f713-4984-b24f-8d7a73d1ade6",
        "actorCUID": "a718550e-4777-4058-8298-bff88d0cb524",
        "actorUserId": "d6a98b6c-6932-485c-a986-aea9fc981df0",
        "authenticationMechanism": "FedAuth",
        "timestamp": "2019-03-05T14:05:02.1460838+00:00",
        "scopeType": "organization",
        "scopeDisplayName": "fabrikam (Organization)",
        "scopeId": "73638cd5-0dda-4128-9fd6-48c16d4e4de3",
        "ipAddress": "167.220.148.131",
        "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36",
        "actionId": "AuditLog.AccessLog",
        "data": {
          "Filter": {
            "StartTime": "2019-03-04T14:05:59.928Z",
            "EndTime": "2019-03-05T14:05:59.928Z",
            "ContinuationToken": null,
            "BatchSize": 2,
            "HasMore": true
          },
          "EventSummary": [
            "2019-03-05T14:05:02.1460838+00:00",
            "2019-03-05T13:59:40.4899467+00:00",
            "2019-03-05T13:58:13.159128+00:00"
          ]
        },
        "details": "Accessed the audit log 3 times",
        "area": "Auditing",
        "category": "access",
        "categoryDisplayName": "Access",
        "actorDisplayName": "Norman Paulk",
        "actorImageUrl": "https://dev.azure.com/fabrikam/_apis/GraphProfile/MemberAvatars/aad.NzdhMTNiN2MtYjIxNy03NDc4LWIxMjItYTlhMTU5YTFlNWQw"
      },
      {
        "id": "2518505063644965580;00000002-0000-8888-8000-000000000000;198b13cf-5201-48e8-acef-0d8bb2d9e815",
        "correlationId": "57f825b4-a940-44a3-a3cc-25cdb9871107",
        "activityId": "01abe2fd-deee-4a47-b35f-dff3edc059a4",
        "actorCUID": "00000000-0000-0000-0000-000000000000",
        "actorUserId": "00000002-0000-8888-8000-000000000000",
        "authenticationMechanism": "",
        "timestamp": "2019-03-05T14:00:35.5034419+00:00",
        "scopeType": "organization",
        "scopeDisplayName": "fabrikam (Organization)",
        "scopeId": "73638cd5-0dda-4128-9fd6-48c16d4e4de3",
        "ipAddress": null,
        "userAgent": "",
        "actionId": "Project.CreateCompleted",
        "data": {
          "ProjectId": "2e0ffea5-d693-4711-862c-94393bacadcb",
          "ProjectName": "fabrikam-fiber-git",
          "ProcessTemplate": "Agile",
          "ProjectVisibility": "Private"
        },
        "details": "fabrikam-fiber-git project was created successfully",
        "area": "Project",
        "category": "create",
        "categoryDisplayName": "Create",
        "actorDisplayName": "Azure DevOps Service",
        "actorImageUrl": null
      }
    ],
    "continuationToken": "2518505063644965580;00000002-0000-8888-8000-000000000000;198b13cf-5201-48e8-acef-0d8bb2d9e815",
    "hasMore": false
  }
}

Definitions

Name	Description
AuditActionCategory	Type of action executed
AuditLogQueryResult	The object returned when the audit log is queried. It contains the log and the information needed to query more audit entries.
AuditScopeType	The type of the scope (Organization is only scope currently supported)
DecoratedAuditLogEntry

AuditActionCategory

Type of action executed

Name	Type	Description
access	string	An artifact has been Accessed
create	string	An artifact has been Created
execute	string	An artifact has been Executed
modify	string	An artifact has been Modified
remove	string	An artifact has been Removed
unknown	string	The category is not known

AuditLogQueryResult

The object returned when the audit log is queried. It contains the log and the information needed to query more audit entries.

Name	Type	Description
continuationToken	string	The continuation token to pass to get the next set of results
decoratedAuditLogEntries	DecoratedAuditLogEntry[]	The list of audit log entries
hasMore	boolean	True when there are more matching results to be fetched, false otherwise.

AuditScopeType

The type of the scope (Organization is only scope currently supported)

Name	Type	Description
deployment	string	Deployment
enterprise	string	Enterprise
organization	string	Organization
project	string	Project
unknown	string	The scope is not known or has not been set

DecoratedAuditLogEntry

Name	Type	Description
actionId	string	The action id for the event, i.e Git.CreateRepo, Project.RenameProject
activityId	string	ActivityId
actorCUID	string	The Actor's CUID
actorClientId	string	The Actor's Client Id (if actor is a service principal)
actorDisplayName	string	DisplayName of the user who initiated the action
actorImageUrl	string	URL of Actor's Profile image
actorUPN	string	The Actor's UPN
actorUserId	string	The Actor's User Id (if actor is a user)
area	string	Area of Azure DevOps the action occurred
authenticationMechanism	string	Type of authentication used by the actor
category	AuditActionCategory	Type of action executed
categoryDisplayName	string	DisplayName of the category
correlationId	string	This allows related audit entries to be grouped together. Generally this occurs when a single action causes a cascade of audit entries. For example, project creation.
data	object	External data such as CUIDs, item names, etc.
details	string	Decorated details
id	string	EventId - Needs to be unique per service
ipAddress	string	IP Address where the event was originated
projectId	string	When specified, the id of the project this event is associated to
projectName	string	When specified, the name of the project this event is associated to
scopeDisplayName	string	DisplayName of the scope
scopeId	string	The organization Id (Organization is the only scope currently supported)
scopeType	AuditScopeType	The type of the scope (Organization is only scope currently supported)
timestamp	string	The time when the event occurred in UTC
userAgent	string	The user agent from the request

Dela via