Audit Log - Query

Queries audit log entries

GET https://auditservice.dev.azure.com/{organization}/_apis/audit/auditlog?api-version=5.1-preview.1
GET https://auditservice.dev.azure.com/{organization}/_apis/audit/auditlog?startTime={startTime}&endTime={endTime}&batchSize={batchSize}&continuationToken={continuationToken}&skipAggregation={skipAggregation}&api-version=5.1-preview.1

URI Parameters

Name In Required Type Description
organization
path
  • string

The name of the Azure DevOps organization.

api-version
query True
  • string

Version of the API to use. This should be set to '5.1-preview.1' to use this version of the api.

batchSize
query
  • integer
int32

Max number of results to return. Optional

continuationToken
query
  • string

Token used for returning next set of results from previous query. Optional

endTime
query
  • string
date-time

End time of download window. Optional

skipAggregation
query
  • boolean

Skips aggregating events and leaves them as individual entries instead. By default events are aggregated. Event types that are aggregated: AuditLog.AccessLog.

startTime
query
  • string
date-time

Start time of download window. Optional

Responses

Name Type Description
200 OK

successful operation

Security

accessToken

Personal access token. Use any value for the user name and the token as the password.

Type: basic

Examples

By date

Sample Request

GET https://auditservice.dev.azure.com/_apis/audit/auditlog?startTime=2019-03-04T14:05:59.928Z&endTime=2019-03-05T14:05:59.928Z&batchSize=2&api-version=5.1-preview.1

Sample Response

{
  "value": {
    "decoratedAuditLogEntries": [
      {
        "id": "2518505060978539161;00000064-0000-8888-8000-000000000000;86fbe369-3f5d-4f52-9ab0-3be7db271948",
        "correlationId": "86fbe369-3f5d-4f52-9ab0-3be7db271948",
        "activityId": "033fde68-f713-4984-b24f-8d7a73d1ade6",
        "actorCUID": "a718550e-4777-4058-8298-bff88d0cb524",
        "actorUserId": "d6a98b6c-6932-485c-a986-aea9fc981df0",
        "authenticationMechanism": "FedAuth",
        "timestamp": "2019-03-05T14:05:02.1460838+00:00",
        "scopeType": "organization",
        "scopeDisplayName": "fabrikam (Organization)",
        "scopeId": "73638cd5-0dda-4128-9fd6-48c16d4e4de3",
        "ipAddress": "167.220.148.131",
        "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.119 Safari/537.36",
        "actionId": "AuditLog.AccessLog",
        "data": {
          "Filter": {
            "StartTime": "2019-03-04T14:05:59.928Z",
            "EndTime": "2019-03-05T14:05:59.928Z",
            "ContinuationToken": null,
            "BatchSize": 2,
            "HasMore": true
          },
          "EventSummary": [
            "2019-03-05T14:05:02.1460838+00:00",
            "2019-03-05T13:59:40.4899467+00:00",
            "2019-03-05T13:58:13.159128+00:00"
          ]
        },
        "details": "Accessed the audit log 3 times",
        "area": "Auditing",
        "category": "access",
        "categoryDisplayName": "Access",
        "actorDisplayName": "Norman Paulk",
        "actorImageUrl": "https://dev.azure.com/fabrikam/_apis/GraphProfile/MemberAvatars/aad.NzdhMTNiN2MtYjIxNy03NDc4LWIxMjItYTlhMTU5YTFlNWQw"
      },
      {
        "id": "2518505063644965580;00000002-0000-8888-8000-000000000000;198b13cf-5201-48e8-acef-0d8bb2d9e815",
        "correlationId": "57f825b4-a940-44a3-a3cc-25cdb9871107",
        "activityId": "01abe2fd-deee-4a47-b35f-dff3edc059a4",
        "actorCUID": "00000000-0000-0000-0000-000000000000",
        "actorUserId": "00000002-0000-8888-8000-000000000000",
        "authenticationMechanism": "",
        "timestamp": "2019-03-05T14:00:35.5034419+00:00",
        "scopeType": "organization",
        "scopeDisplayName": "fabrikam (Organization)",
        "scopeId": "73638cd5-0dda-4128-9fd6-48c16d4e4de3",
        "ipAddress": null,
        "userAgent": "",
        "actionId": "Project.CreateCompleted",
        "data": {
          "ProjectId": "2e0ffea5-d693-4711-862c-94393bacadcb",
          "ProjectName": "fabrikam-fiber-git",
          "ProcessTemplate": "Agile",
          "ProjectVisibility": "Private"
        },
        "details": "fabrikam-fiber-git project was created successfully",
        "area": "Project",
        "category": "create",
        "categoryDisplayName": "Create",
        "actorDisplayName": "Azure DevOps Service",
        "actorImageUrl": null
      }
    ],
    "continuationToken": "2518505063644965580;00000002-0000-8888-8000-000000000000;198b13cf-5201-48e8-acef-0d8bb2d9e815",
    "hasMore": false
  }
}

Definitions

AuditActionCategory

Type of action executed

AuditLogQueryResult

The object returned when the audit log is queried. It contains the log and the information needed to query more audit entries.

AuditScopeType

The type of the scope, Enterprise, Organization or Project

DecoratedAuditLogEntry

AuditActionCategory

Type of action executed

Name Type Description
access
  • string

An artifact has been Accessed

create
  • string

An artifact has been Created

modify
  • string

An artifact has been Modified

remove
  • string

An artifact has been Removed

unknown
  • string

The category is not known

AuditLogQueryResult

The object returned when the audit log is queried. It contains the log and the information needed to query more audit entries.

Name Type Description
continuationToken
  • string

The continuation token to pass to get the next set of results

decoratedAuditLogEntries

The list of audit log entries

hasMore
  • boolean

True when there are more matching results to be fetched, false otherwise.

AuditScopeType

The type of the scope, Enterprise, Organization or Project

Name Type Description
deployment
  • string

Deployment

enterprise
  • string

Enterprise

organization
  • string

Organization

project
  • string

Project

unknown
  • string

The scope is not known or has not been set

DecoratedAuditLogEntry

Name Type Description
actionId
  • string

The action if for the event, i.e Git.CreateRepo, Project.RenameProject

activityId
  • string

ActivityId

actorCUID
  • string

The Actor's CUID

actorDisplayName
  • string

DisplayName of the user who initiated the action

actorImageUrl
  • string

URL of Actor's Profile image

actorUserId
  • string

The Actor's User Id

area
  • string

Area of Azure DevOps the action occurred

authenticationMechanism
  • string

Type of authentication used by the actor

category

Type of action executed

categoryDisplayName
  • string

DisplayName of the category

correlationId
  • string

This allows related audit entries to be grouped together. Generally this occurs when a single action causes a cascade of audit entries. For example, project creation.

data
  • object

External data such as CUIDs, item names, etc.

details
  • string

Decorated details

id
  • string

EventId - Needs to be unique per service

ipAddress
  • string

IP Address where the event was originated

scopeDisplayName
  • string

DisplayName of the scope

scopeId
  • string

The organization or project Id

scopeType

The type of the scope, Organization or Project

timestamp
  • string

The time when the event occurred in UTC

userAgent
  • string

The user agent from the request