Spectrum activity surveillance (SAS) is essential to dynamic spectrum access (DSA)-enabled systems with a two-fold impact: it is a primitive mechanism to collect usage data for spectrum efficiency improvement; it is also a prime widget to collect misuse forensics of unauthorized or malicious users. While realizing SAS for DSA-enabled systems appears to be intuitive and trivial, it is, however, a challenging yet open problem. On one hand, a large-scale SAS function is costly to implement in practice; on the other hand, it is not clear how to characterize the efficacy and performance of monitor deployment strategies. To address such challenges, we introduce a three-factor space, composed of spectrum, time, and geographic region, over which the SAS problem is formulated by a two-step solution: 3D-tessellation for sweep (monitoring) coverage and graph walk for detecting spectrum culprits, that is, devices responsible for unauthorized spectrum occupancy. In particular, our system model transforms SAS from a globally collective activity to localized actions, and strategy objectives from qualitative attributes to quantitative measures. With this model, we design low-cost deterministic strategies for dedicated monitors, which outperform strategies found by genetic algorithms, and performance-guaranteed random strategies for crowd-source monitors, which can detect adversarial spectrum culprits in bounded time.