| title | Create auditLogQuery |
|---|---|
| description | Create a new auditLogQuery object. |
| author | arishojaswi |
| ms.localizationpriority | medium |
| ms.subservice | security |
| doc_type | apiPageType |
| ms.date | 10/29/2024 |
Namespace: microsoft.graph.security
[!INCLUDE beta-disclaimer]
Create a new auditLogQuery object.
[!INCLUDE national-cloud-support]
Auditing data can be accessed through Microsoft Purview Audit Search API via the following permissions, which are classified at a Microsoft 365 service level. To learn more, including how to choose permissions, see Permissions.
| Microsoft 365 service | Delegated (work or school account) | Delegated (personal Microsoft account) | Application |
|---|---|---|---|
| Microsoft OneDrive | AuditLogsQuery-OneDrive.Read.All | Not supported | AuditLogsQuery-OneDrive.Read.All |
| Microsoft Exchange | AuditLogsQuery-Exchange.Read.All | Not supported | AuditLogsQuery-Exchange.Read.All |
| Microsoft SharePoint | AuditLogsQuery-SharePoint.Read.All | Not supported | AuditLogsQuery-SharePoint.Read.All |
| Data Loss Protection for Endpoint | AuditLogsQuery-Endpoint.Read.All | Not supported | AuditLogsQuery-Endpoint.Read.All |
| Microsoft Dynamics CRM | AuditLogsQuery-CRM.Read.All | Not supported | AuditLogsQuery-CRM.Read.All |
| Microsoft Entra | AuditLogsQuery-Entra.Read.All | Not supported | AuditLogsQuery-Entra.Read.All |
| All Audit Logs | AuditLogsQuery.Read.All | Not supported | AuditLogsQuery.Read.All |
POST /security/auditLog/queries| Name | Description |
|---|---|
| Authorization | Bearer {token}. Required. Learn more about authentication and authorization. |
| Content-Type | application/json. Required. |
In the request body, supply a JSON representation of the auditLogQuery object.
You can specify the following properties when creating a auditLogQuery.
| Property | Type | Description |
|---|---|---|
| displayName | String | Display name for the saved audit log query. Optional. |
| filterStartDateTime | DateTimeOffset | Start date of the date range in the query. Optional. |
| filterEndDateTime | DateTimeOffset | End date of the date range in the query. Optional. |
| recordTypeFilters | Collection(string) of microsoft.graph.security.auditLogRecordType | The operation type or types indicated by the record. The possible values are: exchangeAdmin, exchangeItem, exchangeItemGroup, sharePoint, syntheticProbe, sharePointFileOperation, oneDrive, azureActiveDirectory, azureActiveDirectoryAccountLogon, dataCenterSecurityCmdlet, complianceDLPSharePoint, sway, complianceDLPExchange, sharePointSharingOperation, azureActiveDirectoryStsLogon, skypeForBusinessPSTNUsage, skypeForBusinessUsersBlocked, securityComplianceCenterEOPCmdlet, exchangeAggregatedOperation, powerBIAudit, crm, yammer, skypeForBusinessCmdlets, discovery, microsoftTeams, threatIntelligence, mailSubmission, microsoftFlow, aeD, microsoftStream, complianceDLPSharePointClassification, threatFinder, project, sharePointListOperation, sharePointCommentOperation, dataGovernance, kaizala, securityComplianceAlerts, threatIntelligenceUrl, securityComplianceInsights, mipLabel, workplaceAnalytics, powerAppsApp, powerAppsPlan, threatIntelligenceAtpContent, labelContentExplorer, teamsHealthcare, exchangeItemAggregated, hygieneEvent, dataInsightsRestApiAudit, informationBarrierPolicyApplication, sharePointListItemOperation, sharePointContentTypeOperation, sharePointFieldOperation, microsoftTeamsAdmin, hrSignal, microsoftTeamsDevice, microsoftTeamsAnalytics, informationWorkerProtection, campaign, dlpEndpoint, airInvestigation, quarantine, microsoftForms, applicationAudit, complianceSupervisionExchange, customerKeyServiceEncryption, officeNative, mipAutoLabelSharePointItem, mipAutoLabelSharePointPolicyLocation, microsoftTeamsShifts, secureScore, mipAutoLabelExchangeItem, cortanaBriefing, search, wdatpAlerts, powerPlatformAdminDlp, powerPlatformAdminEnvironment, mdatpAudit, sensitivityLabelPolicyMatch, sensitivityLabelAction, sensitivityLabeledFileAction, attackSim, airManualInvestigation, securityComplianceRBAC, userTraining, airAdminActionInvestigation, mstic, physicalBadgingSignal, teamsEasyApprovals, aipDiscover, aipSensitivityLabelAction, aipProtectionAction, aipFileDeleted, aipHeartBeat, mcasAlerts, onPremisesFileShareScannerDlp, onPremisesSharePointScannerDlp, exchangeSearch, sharePointSearch, privacyDataMinimization, labelAnalyticsAggregate, myAnalyticsSettings, securityComplianceUserChange, complianceDLPExchangeClassification, complianceDLPEndpoint, mipExactDataMatch, msdeResponseActions, msdeGeneralSettings, msdeIndicatorsSettings, ms365DCustomDetection, msdeRolesSettings, mapgAlerts, mapgPolicy, mapgRemediation, privacyRemediationAction, privacyDigestEmail, mipAutoLabelSimulationProgress, mipAutoLabelSimulationCompletion, mipAutoLabelProgressFeedback, dlpSensitiveInformationType, mipAutoLabelSimulationStatistics, largeContentMetadata, microsoft365Group, cdpMlInferencingResult, filteringMailMetadata, cdpClassificationMailItem, cdpClassificationDocument, officeScriptsRunAction, filteringPostMailDeliveryAction, cdpUnifiedFeedback, tenantAllowBlockList, consumptionResource, healthcareSignal, dlpImportResult, cdpCompliancePolicyExecution, multiStageDisposition, privacyDataMatch, filteringDocMetadata, filteringEmailFeatures, powerBIDlp, filteringUrlInfo, filteringAttachmentInfo, coreReportingSettings, complianceConnector, powerPlatformLockboxResourceAccessRequest, powerPlatformLockboxResourceCommand, cdpPredictiveCodingLabel, cdpCompliancePolicyUserFeedback, webpageActivityEndpoint, omePortal, cmImprovementActionChange, filteringUrlClick, mipLabelAnalyticsAuditRecord, filteringEntityEvent, filteringRuleHits, filteringMailSubmission, labelExplorer, microsoftManagedServicePlatform, powerPlatformServiceActivity, scorePlatformGenericAuditRecord, filteringTimeTravelDocMetadata, alert, alertStatus, alertIncident, incidentStatus, case, caseInvestigation, recordsManagement, privacyRemediation, dataShareOperation, cdpDlpSensitive, ehrConnector, filteringMailGradingResult, publicFolder, privacyTenantAuditHistoryRecord, aipScannerDiscoverEvent, eduDataLakeDownloadOperation, m365ComplianceConnector, microsoftGraphDataConnectOperation, microsoftPurview, filteringEmailContentFeatures, powerPagesSite, powerAppsResource, plannerPlan, plannerCopyPlan, plannerTask, plannerRoster, plannerPlanList, plannerTaskList, plannerTenantSettings, projectForTheWebProject, projectForTheWebTask, projectForTheWebRoadmap, projectForTheWebRoadmapItem, projectForTheWebProjectSettings, projectForTheWebRoadmapSettings, quarantineMetadata, microsoftTodoAudit, timeTravelFilteringDocMetadata, teamsQuarantineMetadata, sharePointAppPermissionOperation, microsoftTeamsSensitivityLabelAction, filteringTeamsMetadata, filteringTeamsUrlInfo, filteringTeamsPostDeliveryAction, mdcAssessments, mdcRegulatoryComplianceStandards, mdcRegulatoryComplianceControls, mdcRegulatoryComplianceAssessments, mdcSecurityConnectors, mdaDataSecuritySignal, vivaGoals, filteringRuntimeInfo, attackSimAdmin, microsoftGraphDataConnectConsent, filteringAtpDetonationInfo, privacyPortal, managedTenants, unifiedSimulationMatchedItem, unifiedSimulationSummary, updateQuarantineMetadata, ms365DSuppressionRule, purviewDataMapOperation, filteringUrlPostClickAction, irmUserDefinedDetectionSignal, teamsUpdates, plannerRosterSensitivityLabel, ms365DIncident, filteringDelistingMetadata, complianceDLPSharePointClassificationExtended, microsoftDefenderForIdentityAudit, supervisoryReviewDayXInsight, defenderExpertsforXDRAdmin, cdpEdgeBlockedMessage, hostedRpa, cdpContentExplorerAggregateRecord, cdpHygieneAttachmentInfo, cdpHygieneSummary, cdpPostMailDeliveryAction, cdpEmailFeatures, cdpHygieneUrlInfo, cdpUrlClick, cdpPackageManagerHygieneEvent, filteringDocScan, timeTravelFilteringDocScan, mapgOnboard, unknownFutureValue. Optional. |
| keywordFilter | String | Free text field to search non-indexed properties of the audit log. Optional. |
| serviceFilter | String | Refers to the workload property in the audit record. This is the Microsoft service where the activity occurred. Optional. |
| operationFilters | String collection | The name of the user or admin activity. For a description of the most common operations/activities, see Search the audit log in the Office 365 Protection Center. Optional. |
| userPrincipalNameFilters | String collection | The UPN (user principal name) of the user who performed the action (specified in the operation property) that resulted in the record being logged; for example, my_name@my_domain_name. Optional. |
| ipAddressFilters | String collection | The IP address of the device that was used when the activity was logged. Optional. |
| objectIdFilters | String collection | For SharePoint and OneDrive for Business activity, the full path name of the file or folder accessed by the user. For Exchange admin audit logging, the name of the object that was modified by the cmdlet. Optional. |
| administrativeUnitIdFilters | String collection | Administrative units tagged to an audit log record. Optional. |
| status | microsoft.graph.security.auditLogQueryStatus | Current status of the query. The possible values are: notStarted, running, succeeded, failed, cancelled, unknownFutureValue. Optional. |
If successful, this method returns a 201 Created response code and a auditLogQuery object in the response body.
The following example shows a request.
POST https://graph.microsoft.com/beta/security/auditLog/queries
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.security.auditLogQuery",
"displayName": "String",
"filterStartDateTime": "String (timestamp)",
"filterEndDateTime": "String (timestamp)",
"recordTypeFilters": [
"String"
],
"keywordFilter": "String",
"serviceFilter": "String",
"operationFilters": [
"String"
],
"userPrincipalNameFilters": [
"String"
],
"ipAddressFilters": [
"String"
],
"objectIdFilters": [
"String"
],
"administrativeUnitIdFilters": [
"String"
],
"status": "String"
}[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
[!INCLUDE sample-code] [!INCLUDE sdk-documentation]
The following example shows the response.
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.security.auditLogQuery",
"id": "168ec429-084b-a489-90d8-504a87846305",
"displayName": "String",
"filterStartDateTime": "String (timestamp)",
"filterEndDateTime": "String (timestamp)",
"recordTypeFilters": [
"String"
],
"keywordFilter": "String",
"serviceFilter": "String",
"operationFilters": [
"String"
],
"userPrincipalNameFilters": [
"String"
],
"ipAddressFilters": [
"String"
],
"objectIdFilters": [
"String"
],
"administrativeUnitIdFilters": [
"String"
],
"status": "String"
}