MicrosoftMicrosoftI've been using the script Run-MailboxAuditLogSearcher.ps1 and the Search-MailboxAuditlog command for several years and have had great results identifying activity for my users.
I have been using the Purview GUI for a couple of months, trying to become familiar with it. One thing I have notices is instead of basing the search on a particular MAILBOX, the key is for userID. "The UserIds parameter filters the log entries by the account (UserPrincipalName) of the user who performed the action. For example, mailto:email address removed for privacy reasons" as quoted from https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog?view=exchange-ps . In my role, we are much more frequently asked to identify WHO performed a function in a mailbox than IN WHAT MAILBOX a user performed a function. I'm still comparing the results from Search-MailboxAuditLog to results from Search-UnifiedAuditLog. I can understand why keying on user could be more important when searching for bad behavior on any platform by a specific user account, but for identifying "what happened in this mailbox where 20+ people have access?" it is not helpful at all.
Please, if anyone has worked in the new search more than me and knows how to specify mailbox instead of user, let me know
