The Security Audit Logs API for Meta Admin Center allows admins of organization to access records of security-related events on Admin Center, across managed devices and managed Meta accounts.
With this API, your organization can connect Admin Center with other tools to record and monitor detailed insights about account activities, device activities and overall system changes, for the purpose of security monitoring, legal compliance and archival.
This API is currently in beta and subject to change before being made generally available.
The Security Audit Logs API is available to organizations using Admin Center via custom integrations.
In order to use the API, you need to have the correct permissions to create and manage custom integrations for your organization on Admin Center.
Follow the steps below to use the API:
Custom integrations are scoped to the Admin Center where they were created.
Use this endpoint when making API requests:
https://graph.work.meta.com/security_audit_logs
See usage examples for how to use this endpoint with access tokens in code.
Supported query parameters when calling the API:
Parameter | Description |
---|---|
| Specify the fields to be returned with data. See the response schema below for more details. |
| Pagination cursor for getting results after a specified cursor. |
| Pagination cursor for getting results before a specified cursor. |
| Number of results to return in a single API request.
|
| Filter to return events after start time.
|
| Filter to return events before end time.
|
Note: You can not send both after
and before
parameters in the same query.
The API response will comprise a JSON object with a field called “data”, which contains an array of security event objects.
Each event object will contain the following fields:
Field name | Data type | Description |
---|---|---|
|
| The type of event being logged (e.g. 'Login', 'New role assigned'). |
|
| The username of the actor of the event, e.g. an admin who assigned a new role to a user. Note:For events where the actor and the target are the same (e.g. 'Log in' / 'Log out'), only the target_username field is returned. |
|
| The username of the target of the event, e.g. the person whose account password was reset by admin. |
|
| The IP address from where this event’s action was taken. |
|
| The Unix timestamp of when this event occurred. |
|
| The Useragent of the device from where this event's action was taken. |
|
| Extra data which gives more information about the event. Shape:
|
Below is a list of events that are currently available via the API. This list is subject to change as events are added or removed.
The events available are dependent on the Meta tools being used with Admin Center.
GET /security_audit_logs/ HTTP/1.1
Host: graph.work.meta.com
Authorization: Bearer {your access token}
User-Agent: {your user agent}
{ "data": [ { "timestamp": "2024-06-13T11:57:14+0000", "event": "PASSWORD_CHANGE", "ip_address": "0.0.0.0", "useragent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", "target_username": "username_target@example.com", "actor_username": "username_actor@example.com", "extra_data": { "summary": "Password changed" }, "id": "123123123123123" },{ ... } ], "paging": { "cursors": { "before": {before_cursor}, "after": {after_cursor} }, "next": "https://graph.work.meta.com/v1.0/security_audit_logs?access_token={your_access_token}&limit=50after={after_cursor}", "previous": "https://graph.work.meta.com/v1.0/security_audit_logs?access_token={your_access_token}&limit=50&before={before_cursor}" } }