The Office 365 Management Activity API delivers audit data per content type. You must start a subscription for each content type you want to ingest. Hunters uses these five content types:
| Content type | Description |
|--------------|-------------|
| Audit.AzureActiveDirectory | Azure AD sign-in and directory events |
| Audit.Exchange | Exchange mailbox and admin events |
| Audit.SharePoint | SharePoint, OneDrive, and related events |
| Audit.General | Other workloads (Teams, Power BI, etc.) |
| DLP.All | Data Loss Prevention events |
Important
Microsoft throttles start requests. After you call Start once, wait at least 15 minutes before calling Start again. So you will run five start requests in total, with 15 minutes between each.s here
Start a subscription for each content type
Run the following once per content type (five times in total). Each request starts one subscription. Use the same access_token
curl -X POST "https://manage.office.com/api/v1.0/YOUR_TENANT_ID/activity/feed/subscriptions/start?contentType=CONTENT_TYPE&PublisherIdentifier=YOUR_TENANT_ID" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{}'(Optional) List subscriptions to verify
To confirm all five subscriptions are enabled, run (replace YOUR_TENANT_ID and YOUR_ACCESS_TOKEN):
curl -X GET "https://manage.office.com/api/v1.0/YOUR_TENANT_ID/activity/feed/subscriptions/list?PublisherIdentifier=YOUR_TENANT_ID" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN"You should see an array of subscription objects; each should have "status": "enabled" for the content types you started.
Note: After subscriptions are created, it can take up to 12 hours for the first content blobs to become available. Hunters will begin ingesting once data is available.