Audit Log - Query

Queries audit log entries

GET https://auditservice.dev.azure.com/{organization}/_apis/audit/auditlog?api-version=7.1-preview.1
GET https://auditservice.dev.azure.com/{organization}/_apis/audit/auditlog?startTime={startTime}&endTime={endTime}&batchSize={batchSize}&continuationToken={continuationToken}&skipAggregation={skipAggregation}&api-version=7.1-preview.1

URI Parameters

Name In Required Type Description
organization
path

string

The name of the Azure DevOps organization.

api-version
query True

string

Version of the API to use. This should be set to '7.1-preview.1' to use this version of the api.

batchSize
query

integer

int32

Max number of results to return. Optional

continuationToken
query

string

Token used for returning next set of results from previous query. Optional

endTime
query

string

date-time

End time of download window. Optional

skipAggregation
query

boolean

Skips aggregating events and leaves them as individual entries instead. By default events are aggregated. Event types that are aggregated: AuditLog.AccessLog.

startTime
query

string

date-time

Start time of download window. Optional

Responses

Name Type Description
200 OK

AuditLogQueryResult

successful operation

Security

oauth2

Type: oauth2
Flow: accessCode
Authorization URL: https://app.vssps.visualstudio.com/oauth2/authorize&response_type=Assertion
Token URL: https://app.vssps.visualstudio.com/oauth2/token?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

Scopes

Name Description
vso.auditlog Grants the ability to read the auditing log and audit streams to users

Examples

By date

Sample request

GET https://auditservice.dev.azure.com/_apis/audit/auditlog?startTime=2019-03-04T14:05:59.928Z&endTime=2019-03-05T14:05:59.928Z&batchSize=2&api-version=7.1-preview.1

Sample response

{
  "value": {
    "decoratedAuditLogEntries": [
      {
        "id": "2518505060978539161;00000064-0000-8888-8000-000000000000;86fbe369-3f5d-4f52-9ab0-3be7db271948",
        "correlationId": "86fbe369-3f5d-4f52-9ab0-3be7db271948",
        "activityId": "033fde68-f713-4984-b24f-8d7a73d1ade6",
        "actorCUID": "a718550e-4777-4058-8298-bff88d0cb524",
        "actorUserId": "d6a98b6c-6932-485c-a986-aea9fc981df0",
        "authenticationMechanism": "FedAuth",
        "timestamp": "2019-03-05T14:05:02.1460838+00:00",
        "scopeType": "organization",
        "scopeDisplayName": "fabrikam (Organization)",
        "scopeId": "73638cd5-0dda-4128-9fd6-48c16d4e4de3",
        "ipAddress": "167.220.148.131",
        "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36",
        "actionId": "AuditLog.AccessLog",
        "data": {
          "Filter": {
            "StartTime": "2019-03-04T14:05:59.928Z",
            "EndTime": "2019-03-05T14:05:59.928Z",
            "ContinuationToken": null,
            "BatchSize": 2,
            "HasMore": true
          },
          "EventSummary": [
            "2019-03-05T14:05:02.1460838+00:00",
            "2019-03-05T13:59:40.4899467+00:00",
            "2019-03-05T13:58:13.159128+00:00"
          ]
        },
        "details": "Accessed the audit log 3 times",
        "area": "Auditing",
        "category": "access",
        "categoryDisplayName": "Access",
        "actorDisplayName": "Norman Paulk",
        "actorImageUrl": "https://dev.azure.com/fabrikam/_apis/GraphProfile/MemberAvatars/aad.NzdhMTNiN2MtYjIxNy03NDc4LWIxMjItYTlhMTU5YTFlNWQw"
      },
      {
        "id": "2518505063644965580;00000002-0000-8888-8000-000000000000;198b13cf-5201-48e8-acef-0d8bb2d9e815",
        "correlationId": "57f825b4-a940-44a3-a3cc-25cdb9871107",
        "activityId": "01abe2fd-deee-4a47-b35f-dff3edc059a4",
        "actorCUID": "00000000-0000-0000-0000-000000000000",
        "actorUserId": "00000002-0000-8888-8000-000000000000",
        "authenticationMechanism": "",
        "timestamp": "2019-03-05T14:00:35.5034419+00:00",
        "scopeType": "organization",
        "scopeDisplayName": "fabrikam (Organization)",
        "scopeId": "73638cd5-0dda-4128-9fd6-48c16d4e4de3",
        "ipAddress": null,
        "userAgent": "",
        "actionId": "Project.CreateCompleted",
        "data": {
          "ProjectId": "2e0ffea5-d693-4711-862c-94393bacadcb",
          "ProjectName": "fabrikam-fiber-git",
          "ProcessTemplate": "Agile",
          "ProjectVisibility": "Private"
        },
        "details": "fabrikam-fiber-git project was created successfully",
        "area": "Project",
        "category": "create",
        "categoryDisplayName": "Create",
        "actorDisplayName": "Azure DevOps Service",
        "actorImageUrl": null
      }
    ],
    "continuationToken": "2518505063644965580;00000002-0000-8888-8000-000000000000;198b13cf-5201-48e8-acef-0d8bb2d9e815",
    "hasMore": false
  }
}

Definitions

Name Description
AuditActionCategory

Type of action executed

AuditLogQueryResult

The object returned when the audit log is queried. It contains the log and the information needed to query more audit entries.

AuditScopeType

The type of the scope (Organization is only scope currently supported)

DecoratedAuditLogEntry

AuditActionCategory

Type of action executed

Name Type Description
access

string

An artifact has been Accessed

create

string

An artifact has been Created

execute

string

An artifact has been Executed

modify

string

An artifact has been Modified

remove

string

An artifact has been Removed

unknown

string

The category is not known

AuditLogQueryResult

The object returned when the audit log is queried. It contains the log and the information needed to query more audit entries.

Name Type Description
continuationToken

string

The continuation token to pass to get the next set of results

decoratedAuditLogEntries

DecoratedAuditLogEntry[]

The list of audit log entries

hasMore

boolean

True when there are more matching results to be fetched, false otherwise.

AuditScopeType

The type of the scope (Organization is only scope currently supported)

Name Type Description
deployment

string

Deployment

enterprise

string

Enterprise

organization

string

Organization

project

string

Project

unknown

string

The scope is not known or has not been set

DecoratedAuditLogEntry

Name Type Description
actionId

string

The action id for the event, i.e Git.CreateRepo, Project.RenameProject

activityId

string

ActivityId

actorCUID

string

The Actor's CUID

actorClientId

string

The Actor's Client Id (if actor is a service principal)

actorDisplayName

string

DisplayName of the user who initiated the action

actorImageUrl

string

URL of Actor's Profile image

actorUPN

string

The Actor's UPN

actorUserId

string

The Actor's User Id (if actor is a user)

area

string

Area of Azure DevOps the action occurred

authenticationMechanism

string

Type of authentication used by the actor

category

AuditActionCategory

Type of action executed

categoryDisplayName

string

DisplayName of the category

correlationId

string

This allows related audit entries to be grouped together. Generally this occurs when a single action causes a cascade of audit entries. For example, project creation.

data

object

External data such as CUIDs, item names, etc.

details

string

Decorated details

id

string

EventId - Needs to be unique per service

ipAddress

string

IP Address where the event was originated

projectId

string

When specified, the id of the project this event is associated to

projectName

string

When specified, the name of the project this event is associated to

scopeDisplayName

string

DisplayName of the scope

scopeId

string

The organization Id (Organization is the only scope currently supported)

scopeType

AuditScopeType

The type of the scope (Organization is only scope currently supported)

timestamp

string

The time when the event occurred in UTC

userAgent

string

The user agent from the request