Note
We’ve renamed Microsoft Cloud App Security. It’s now called Microsoft Defender for Cloud Apps. In the coming weeks, we’ll update the screenshots and instructions here and in related pages. For more information about the change, see this announcement. To learn more about the recent renaming of Microsoft security services, see the Microsoft Ignite Security blog.
The Activity API gives you visibility into all actions performed in your cloud apps. The data from this API can supply information regarding who logs in to which app and when, which files are being downloaded from suspicious locations, and so on.
The following lists the supported requests:
Filters
For information about how filters work, see Filters.
The following table describes the supported filters:
Filter | Type | Operators | Description |
---|---|---|---|
service | integer | eq, neq | Filter activities related to the specified service appID, for example: 11770 |
instance | integer | eq, neq | Filter activities from specified instances |
user.orgUnit | string | eq, neq, isset, isnotset | Filter activities by the organization unit of the performing user |
activity.eventType | string | eq, neq | Filter activities by event type |
activity.id | string | eq | Find an activity by ID |
activity.impersonated | boolean | eq | If set to “true”, returns only impersonated events, if set to “false”, returns non-impersonated events |
activity.type | boolean | eq | If set to “true”, returns only admin events, if set to “false”, returns regular events |
activity.takenAction | string | eq, neq | Filter activities by the actions taken on them. Possible values include:
block: Blocked |
device.type | string | eq, neq | Filter activities by device type. Possible values include:
DESKTOP: PC |
device.tags | string | eq, neq | Filter activities by device tag IDs |
userAgent.userAgent | string | contains, ncontains | Filter activities that do or do not contain the given strings in the user agent |
userAgent.tags | string | eq, neq | Filter activities containing the specified user agent tag IDs |
location.country | string | eq, neq, isset, isnotset | Filter activities originating from the specified country/region code |
location.organizations | string | eq, neq, isset, isnotset, contains | Filter activities originating from the specified organization |
ip.address | string | eq, startswith, doesnotstartwith, isset, isnotset, neq | Filter activities originating from the given IP address |
fileSelector | file | eq, neq | Filter activities containing the specified file/folder |
office365url | string | startswith, eq, endswith | Filter activities by Office 365 URLs |
fileId | string | eq | Find a file by ID |
ip.category | integer | eq, neq | Filter activities with the specified subnet categories. Possible values include:
1: Corporate |
ip.tags | string | eq, neq | Filter activities by IP tag IDs |
text | string | eq, startswithsingle, text | Filter activities by performing a free text search |
date | timestamp | lte, gte, range, lte_ndays, gte_ndays | Filter activities that occurred in the specified time range |
policy | string | eq, neq, isset, isnotset | Filter activities related to the specified policies |
source | string | eq, neq | Filter all activities by source type or stream ID. Example: [{ "s:stream-id", "t:source-type" }] Possible source type values include:
0: Access control |
activity.alertId | string | eq | Filter all activities relevant to an alert ID |
activityObject | string | eq, neq | Filter activities containing the specified ID |
fileLabels | string | eq, neq | Filter files containing the specified file labels (tags) IDs |
created | lte, gte, range, gt, lt, eq | Filter activities that were created in the specified time range | |
entity | entity pk | eq, neq, isset, isnotset, startswith | Filter activities by the entity who performed the activity. Example: [{ "id": "entity-id", "saas": 11161, "inst": 0 }] |
user.username | string | eq, neq, isset, isnotset, startswith | Filter activities by the user who performed the activity |
user.tags | string | eq, neq, isset, isnotset, startswith | Filter activities by tags belonging to the performing user. Requires group IDs |
user.domain | string | eq, neq, isset, isnotset | Filter activities by the performing user domain |
If you run into any problems, we’re here to help. To get assistance or support for your product issue, please open a support ticket.