命名空间:microsoft.graph.security
创建新的 auditLogQuery 对象。
此 API 可用于以下国家级云部署。
| 全局服务 | 美国政府 L4 | 美国政府 L5 (DOD) | 由世纪互联运营的中国 |
|---|---|---|---|
| ✅ | ❌ | ❌ | ❌ |
权限
可以通过 Microsoft Purview 审核搜索 API 通过以下权限访问审核数据,这些权限在 Microsoft 365 服务级别进行分类。 若要了解详细信息,包括如何选择权限的信息,请参阅权限。
| 权限类型 | 最低特权权限 | 更高特权权限 |
|---|---|---|
| 委派(工作或学校帐户) | AuditLogsQuery-Entra.Read.All | AuditLogsQuery-CRM.Read.All、AuditLogsQuery-Endpoint.Read.All、AuditLogsQuery-Exchange.Read.All、AuditLogsQuery-OneDrive.Read.All、AuditLogsQuery-SharePoint.Read.All、AuditLogsQuery.Read.All |
| 委派(个人 Microsoft 帐户) | 不支持。 | 不支持。 |
| 应用程序 | AuditLogsQuery-Entra.Read.All | AuditLogsQuery-CRM.Read.All、AuditLogsQuery-Endpoint.Read.All、AuditLogsQuery-Exchange.Read.All、AuditLogsQuery-OneDrive.Read.All、AuditLogsQuery-SharePoint.Read.All、AuditLogsQuery.Read.All |
HTTP 请求
POST /security/auditLog/queries
请求标头
| 名称 | 说明 |
|---|---|
| Authorization | 持有者 {token}。 必填。 详细了解 身份验证和授权。 |
| Content-Type | application/json. 必需。 |
请求正文
在请求正文中,提供 auditLogQuery 对象的 JSON 表示形式。
创建 auditLogQuery 时,可以指定以下属性。
| 属性 | 类型 | 说明 |
|---|---|---|
| displayName | String | 保存的审核日志查询的显示名称。 可选。 |
| filterStartDateTime | DateTimeOffset | 查询中日期范围的开始日期。 可选。 |
| filterEndDateTime | DateTimeOffset | 查询中日期范围的结束日期。 可选。 |
| recordTypeFilters | microsoft.graph.security.auditLogRecordType 的集合 (字符串) | 记录指示的作类型。 可能的值为:、、、、、exchangeItemGroupsharePointFileOperationsyntheticProbesharePointazureActiveDirectoryoneDrive、、 microsoftTeamsDevicehrSignalmicrosoftTeamsAdminsharePointContentTypeOperationsharePointFieldOperationinformationBarrierPolicyApplicationdataInsightsRestApiAudithygieneEventexchangeItemAggregatedteamsHealthcarelabelContentExplorerthreatIntelligenceAtpContentpowerAppsPlansharePointListItemOperationpowerAppsAppworkplaceAnalyticsmipLabelmicrosoftTeamsAnalyticssecurityComplianceInsightsinformationWorkerProtectiondiscoverymicrosoftTeamsskypeForBusinessCmdletsyammercrmthreatIntelligencepowerBIAuditexchangeAggregatedOperationsecurityComplianceCenterEOPCmdletmicrosoftFlowcampaignmailSubmissioncomplianceDLPSharePointClassificationmicrosoftStreamaeDthreatIntelligenceUrldataGovernancethreatFinderkaizalasecurityComplianceAlertssharePointListOperationsharePointCommentOperationprojectcomplianceDLPExchangesharePointSharingOperationswayskypeForBusinessUsersBlockedazureActiveDirectoryAccountLogonskypeForBusinessPSTNUsagedataCenterSecurityCmdletazureActiveDirectoryStsLogoncomplianceDLPSharePointexchangeItemexchangeAdmindlpEndpoint, airInvestigation, quarantine, microsoftForms, applicationAudit, complianceSupervisionExchange, customerKeyServiceEncryption, , mipAutoLabelSharePointItemofficeNativemipAutoLabelSharePointPolicyLocationmicrosoftTeamsShiftssecureScoremipAutoLabelExchangeItemcortanaBriefingsearchwdatpAlertspowerPlatformAdminDlppowerPlatformAdminEnvironmentmdatpAuditsensitivityLabelPolicyMatchsensitivityLabelActionsensitivityLabeledFileActionattackSimairManualInvestigationsecurityComplianceRBACuserTrainingairAdminActionInvestigationmsticphysicalBadgingSignalteamsEasyApprovalsaipDiscoveraipSensitivityLabelActionaipProtectionActionaipFileDeletedaipHeartBeatmcasAlertsonPremisesFileShareScannerDlponPremisesSharePointScannerDlpexchangeSearchsharePointSearchprivacyDataMinimizationlabelAnalyticsAggregatemyAnalyticsSettingssecurityComplianceUserChangecomplianceDLPExchangeClassificationcomplianceDLPEndpointmipExactDataMatchmsdeResponseActionsmsdeGeneralSettingsmsdeIndicatorsSettingsms365DCustomDetectionmsdeRolesSettingsmapgAlertsmapgPolicymapgRemediationprivacyRemediationActionprivacyDigestEmailmipAutoLabelSimulationProgressmipAutoLabelSimulationCompletionmipAutoLabelProgressFeedbackdlpSensitiveInformationType, mipAutoLabelSimulationStatistics, largeContentMetadata, microsoft365Group, cdpMlInferencingResult, filteringEntityEventdlpImportResultcdpCompliancePolicyExecutionmultiStageDispositionprivacyDataMatchhealthcareSignalfilteringEmailFeaturesfilteringDocMetadatapowerBIDlpfilteringUrlInfofilteringAttachmentInfocoreReportingSettingscomplianceConnectorconsumptionResourcepowerPlatformLockboxResourceCommandpowerPlatformLockboxResourceAccessRequestcdpPredictiveCodingLabelcdpCompliancePolicyUserFeedbackwebpageActivityEndpointomePortalscorePlatformGenericAuditRecordpowerPlatformServiceActivityfilteringTimeTravelDocMetadatamicrosoftManagedServicePlatformlabelExplorerfilteringMailSubmissionalertfilteringRuleHitsmipLabelAnalyticsAuditRecordfilteringUrlClickalertStatuscmImprovementActionChangetenantAllowBlockListcdpUnifiedFeedbackfilteringPostMailDeliveryActionfilteringMailGradingResultcaseInvestigationrecordsManagementprivacyRemediationcaseehrConnectorincidentStatuscdpDlpSensitivealertIncidentdataShareOperationpublicFolderfilteringMailMetadatacdpClassificationMailItemcdpClassificationDocumentofficeScriptsRunActionprivacyTenantAuditHistoryRecord, aipScannerDiscoverEvent, eduDataLakeDownloadOperation, m365ComplianceConnector, microsoftGraphDataConnectOperation, mdcRegulatoryComplianceAssessmentsplannerTaskListplannerTenantSettingsprojectForTheWebProjectprojectForTheWebTaskplannerPlanListprojectForTheWebRoadmapItemprojectForTheWebRoadmapprojectForTheWebProjectSettingsprojectForTheWebRoadmapSettingsquarantineMetadatamicrosoftTodoAudittimeTravelFilteringDocMetadataplannerRostersharePointAppPermissionOperationteamsQuarantineMetadatamicrosoftTeamsSensitivityLabelActionfilteringTeamsMetadatafilteringTeamsUrlInfofilteringTeamsPostDeliveryActionmicrosoftGraphDataConnectConsentattackSimAdminfilteringAtpDetonationInfofilteringRuntimeInfovivaGoalsmdaDataSecuritySignalprivacyPortalmdcSecurityConnectorsmdcRegulatoryComplianceControlsmdcRegulatoryComplianceStandardsmanagedTenantsmdcAssessmentsplannerTaskplannerCopyPlanplannerPlanms365DIncidentms365DSuppressionRulepurviewDataMapOperationfilteringUrlPostClickActionupdateQuarantineMetadataplannerRosterSensitivityLabelunifiedSimulationSummaryteamsUpdatesunifiedSimulationMatchedItemirmUserDefinedDetectionSignalfilteringDelistingMetadatamicrosoftPurviewfilteringEmailContentFeaturespowerPagesSitepowerAppsResourcecomplianceDLPSharePointClassificationExtended、microsoftDefenderForIdentityAudit、、supervisoryReviewDayXInsight、defenderExpertsforXDRAdmin、hostedRpacdpContentExplorerAggregateRecordcdpEdgeBlockedMessage、、cdpHygieneAttachmentInfo、cdpHygieneSummary、cdpPostMailDeliveryActioncdpEmailFeatures、cdpUrlClickcdpHygieneUrlInfo、cdpPackageManagerHygieneEvent、、filteringDocScan、timeTravelFilteringDocScan、 。 unknownFutureValuemapgOnboard 可选。 |
| keywordFilter | String | 用于搜索审核日志的非索引属性的自由文本字段。 可选。 |
| serviceFilter | String | 指审核记录中的工作负载属性。 这是发生活动的Microsoft服务。 可选。 |
| operationFilters | 字符串集合 | 用户或管理员活动的名称。 有关最常见操作/活动的说明,请参阅在 Office 365 保护中心搜索审核日志。 可选。 |
| userPrincipalNameFilters | 字符串集合 | UPN (用户主体名称) 执行作的用户 (作属性中指定的) ,导致记录被记录;例如, my_name@my_domain_name。 可选。 |
| ipAddressFilters | 字符串集合 | 记录活动时使用的设备的 IP 地址。 可选。 |
| objectIdFilters | 字符串集合 | 对于 SharePoint 和 OneDrive for Business 活动,用户访问的文件或文件夹的完整路径名称。 对于 Exchange 管理员审核日志,通过 cmdlet 修改的对象的名称。 可选。 |
| administrativeUnitIdFilters | 字符串集合 | 标记为审核日志记录的管理单元。 可选。 |
| status | microsoft.graph.security.auditLogQueryStatus | 查询的当前状态。 可能的值包括 notStarted、running、succeeded、failed、cancelled、unknownFutureValue。 可选。 |
响应
如果成功,此方法在 201 Created 响应正文中返回响应代码和 auditLogQuery 对象。
示例
请求
以下示例显示了一个请求。
POST https://graph.microsoft.com/v1.0/security/auditLog/queries
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.security.auditLogQuery",
"displayName": "String",
"filterStartDateTime": "String (timestamp)",
"filterEndDateTime": "String (timestamp)",
"recordTypeFilters": [
"String"
],
"keywordFilter": "String",
"serviceFilter": "String",
"operationFilters": [
"String"
],
"userPrincipalNameFilters": [
"String"
],
"ipAddressFilters": [
"String"
],
"objectIdFilters": [
"String"
],
"administrativeUnitIdFilters": [
"String"
],
"status": "String"
}
响应
以下示例显示了相应的响应。
注意:为了提高可读性,可能缩短了此处显示的响应对象。
HTTP/1.1 201 Created
Content-Type: application/json
{
"@odata.type": "#microsoft.graph.security.auditLogQuery",
"id": "168ec429-084b-a489-90d8-504a87846305",
"displayName": "String",
"filterStartDateTime": "String (timestamp)",
"filterEndDateTime": "String (timestamp)",
"recordTypeFilters": [
"String"
],
"keywordFilter": "String",
"serviceFilter": "String",
"operationFilters": [
"String"
],
"userPrincipalNameFilters": [
"String"
],
"ipAddressFilters": [
"String"
],
"objectIdFilters": [
"String"
],
"administrativeUnitIdFilters": [
"String"
],
"status": "String"
}