Question

我正在尝试从管理活动API中获取Office 365审核日志。在为所需的内容类型创建订阅后，我能够从订阅/内容API中获取数据。

示例：-

查询：https://manage.office.com/api/v1.0/{tenant-id}/activity/feed/audit/xxxxx$xxxxx$audit_sharepoint$Audit_SharePoint

响应：

[
  {
        "CreationTime": "2018-10-08T10:13:15",
        "Id": "xxxxx",
        "Operation": "FileDownloaded",
        "OrganizationId": "xxxxx",
        "RecordType": 6,
        "UserKey": "xxx|membership|xxxxxxx@live.com",
        "UserType": 0,
        "Version": 1,
        "Workload": "OneDrive",
        "ClientIP": "xx.xx.xx.xx",
        "ObjectId": "xxxxxxx",
        "UserId": "xxxxxx",
        "ApplicationId": "xxxxxx",
        "CorrelationId": "xxxxxx",
        "EventSource": "SharePoint",
        "ItemType": "File",
        "ListId": "xxxxx",
        "ListItemUniqueId": "xxxxx",
        "Site": "xxxxx",
        "UserAgent": "xxxxx",
        "WebId": "xxxxx",
        "SourceFileExtension": "jpg",
        "SiteUrl": "xxxxx",
        "SourceFileName": "xxxxx.jpg",
        "SourceRelativeUrl": "xxxxx/xxxxx/xxxxx"
   },
   {..},{..}
]

我需要获取特定用户执行的操作或特定文件执行的操作的日志。通过在MSGraph的安全和合规性中心中的“审核”搜索，可以做到这一点。

API是否有一种方法可以根据UserId或ObjectId字段（可能是查询参数）过滤响应？

Answer 1

不幸的是，通过Office 365管理活动API终结点不支持通过AuditRecord（内容blob）UserId或ObjectId属性进行筛选，仅支持以下参数：

contentType
startTime和endTime

解决方法将如下所示在客户端过滤结果：

示例

const requestUrl = `https://manage.office.com/api/v1.0/${tenantId}/activity/feed/audit/${contentId}$audit_sharepoint$Audit_SharePoint`;
const options = {
   method: 'GET',
   headers: {
      "Content-Type": "application/json; charset=utf-8",
      "Authorization": "bearer " + accessToken
   }
};

const rawResponse = await fetch(requestUrl,options);
const blobs = await rawResponse.json(); //get all blobs

const blobsByUser = blobs.filter(blob => {
    return blob.UserId === "username@contoso.com";
})

Office 365管理活动API-使用用户ID或文件ID进行查询

1 个答案: