Share via

Audit Log - Query

Service:
Audit
API Version:
7.1-preview.1

Queries audit log entries

GET https://auditservice.dev.azure.com/{organization}/_apis/audit/auditlog?api-version=7.1-preview.1
With optional parameters: 
GET https://auditservice.dev.azure.com/{organization}/_apis/audit/auditlog?startTime={startTime}&endTime={endTime}&batchSize={batchSize}&continuationToken={continuationToken}&skipAggregation={skipAggregation}&api-version=7.1-preview.1

URI Parameters

Name In Required Type Description
organization
 path

string

The name of the Azure DevOps organization.
api-version
 query True

string

Version of the API to use. This should be set to '7.1-preview.1' to use this version of the api.
batchSize
 query

integer (int32)

Max number of results to return. Optional
continuationToken
 query

string

Token used for returning next set of results from previous query. Optional
endTime
 query

string (date-time)

End time of download window. Optional
skipAggregation
 query

boolean

Skips aggregating events and leaves them as individual entries instead. By default events are aggregated. Event types that are aggregated: AuditLog.AccessLog.
startTime
 query

string (date-time)

Start time of download window. Optional

Responses

Name Type Description
200 OK

AuditLogQueryResult

successful operation

Security

oauth2

Type: oauth2
Flow: accessCode
Authorization URL: https://app.vssps.visualstudio.com/oauth2/authorize&response_type=Assertion
Token URL: https://app.vssps.visualstudio.com/oauth2/token?client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer

Scopes

Name Description
vso.auditlog Grants the ability to read the auditing log and audit streams to users

Examples

By date

Sample request

GET https://auditservice.dev.azure.com/_apis/audit/auditlog?startTime=2019-03-04T14:05:59.928Z&endTime=2019-03-05T14:05:59.928Z&batchSize=2&api-version=7.1-preview.1

Sample response

Status code:
200 
{
  "value": {
    "decoratedAuditLogEntries": [
      {
        "id": "2518505060978539161;00000064-0000-8888-8000-000000000000;86fbe369-3f5d-4f52-9ab0-3be7db271948",
        "correlationId": "86fbe369-3f5d-4f52-9ab0-3be7db271948",
        "activityId": "033fde68-f713-4984-b24f-8d7a73d1ade6",
        "actorCUID": "a718550e-4777-4058-8298-bff88d0cb524",
        "actorUserId": "d6a98b6c-6932-485c-a986-aea9fc981df0",
        "authenticationMechanism": "FedAuth",
        "timestamp": "2019-03-05T14:05:02.1460838+00:00",
        "scopeType": "organization",
        "scopeDisplayName": "fabrikam (Organization)",
        "scopeId": "73638cd5-0dda-4128-9fd6-48c16d4e4de3",
        "ipAddress": "167.220.148.131",
        "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36",
        "actionId": "AuditLog.AccessLog",
        "data": {
          "Filter": {
            "StartTime": "2019-03-04T14:05:59.928Z",
            "EndTime": "2019-03-05T14:05:59.928Z",
            "ContinuationToken": null,
            "BatchSize": 2,
            "HasMore": true
          },
          "EventSummary": [
            "2019-03-05T14:05:02.1460838+00:00",
            "2019-03-05T13:59:40.4899467+00:00",
            "2019-03-05T13:58:13.159128+00:00"
          ]
        },
        "details": "Accessed the audit log 3 times",
        "area": "Auditing",
        "category": "access",
        "categoryDisplayName": "Access",
        "actorDisplayName": "Norman Paulk",
        "actorImageUrl": "https://dev.azure.com/fabrikam/_apis/GraphProfile/MemberAvatars/aad.NzdhMTNiN2MtYjIxNy03NDc4LWIxMjItYTlhMTU5YTFlNWQw"
      },
      {
        "id": "2518505063644965580;00000002-0000-8888-8000-000000000000;198b13cf-5201-48e8-acef-0d8bb2d9e815",
        "correlationId": "57f825b4-a940-44a3-a3cc-25cdb9871107",
        "activityId": "01abe2fd-deee-4a47-b35f-dff3edc059a4",
        "actorCUID": "00000000-0000-0000-0000-000000000000",
        "actorUserId": "00000002-0000-8888-8000-000000000000",
        "authenticationMechanism": "",
        "timestamp": "2019-03-05T14:00:35.5034419+00:00",
        "scopeType": "organization",
        "scopeDisplayName": "fabrikam (Organization)",
        "scopeId": "73638cd5-0dda-4128-9fd6-48c16d4e4de3",
        "ipAddress": null,
        "userAgent": "",
        "actionId": "Project.CreateCompleted",
        "data": {
          "ProjectId": "2e0ffea5-d693-4711-862c-94393bacadcb",
          "ProjectName": "fabrikam-fiber-git",
          "ProcessTemplate": "Agile",
          "ProjectVisibility": "Private"
        },
        "details": "fabrikam-fiber-git project was created successfully",
        "area": "Project",
        "category": "create",
        "categoryDisplayName": "Create",
        "actorDisplayName": "Azure DevOps Service",
        "actorImageUrl": null
      }
    ],
    "continuationToken": "2518505063644965580;00000002-0000-8888-8000-000000000000;198b13cf-5201-48e8-acef-0d8bb2d9e815",
    "hasMore": false
  }
}

Definitions

Name Description
AuditActionCategory

Type of action executed
AuditLogQueryResult

The object returned when the audit log is queried. It contains the log and the information needed to query more audit entries.
AuditScopeType

The type of the scope (Organization is only scope currently supported)
DecoratedAuditLogEntry

AuditActionCategory

Enumeration

Type of action executed

Value Description
unknown

The category is not known
modify

An artifact has been Modified
remove

An artifact has been Removed
create

An artifact has been Created
access

An artifact has been Accessed
execute

An artifact has been Executed

AuditLogQueryResult

Object

The object returned when the audit log is queried. It contains the log and the information needed to query more audit entries.

Name Type Description
continuationToken

string

The continuation token to pass to get the next set of results
decoratedAuditLogEntries

DecoratedAuditLogEntry[]

The list of audit log entries
hasMore

boolean

True when there are more matching results to be fetched, false otherwise.

AuditScopeType

Enumeration

The type of the scope (Organization is only scope currently supported)

Value Description
unknown

The scope is not known or has not been set
deployment

Deployment
enterprise

Enterprise
organization

Organization
project

Project

DecoratedAuditLogEntry

Object
Name Type Description
actionId

string

The action id for the event, i.e Git.CreateRepo, Project.RenameProject
activityId

string (uuid)

ActivityId
actorCUID

string (uuid)

The Actor's CUID
actorClientId

string (uuid)

The Actor's Client Id (if actor is a service principal)
actorDisplayName

string

DisplayName of the user who initiated the action
actorImageUrl

string

URL of Actor's Profile image
actorUPN

string

The Actor's UPN
actorUserId

string (uuid)

The Actor's User Id (if actor is a user)
area

string

Area of Azure DevOps the action occurred
authenticationMechanism

string

Type of authentication used by the actor
category

AuditActionCategory

Type of action executed
categoryDisplayName

string

DisplayName of the category
correlationId

string (uuid)

This allows related audit entries to be grouped together. Generally this occurs when a single action causes a cascade of audit entries. For example, project creation.
data

object

External data such as CUIDs, item names, etc.
details

string

Decorated details
id

string

EventId - Needs to be unique per service
ipAddress

string

IP Address where the event was originated
projectId

string (uuid)

When specified, the id of the project this event is associated to
projectName

string

When specified, the name of the project this event is associated to
scopeDisplayName

string

DisplayName of the scope
scopeId

string (uuid)

The organization Id (Organization is the only scope currently supported)
scopeType

AuditScopeType

The type of the scope (Organization is only scope currently supported)
timestamp

string (date-time)

The time when the event occurred in UTC
userAgent

string

The user agent from the request