Forum Discussion

Pontus T's avatar
Pontus T
Iron Contributor
Apr 27, 2017
Solved

Help with parameter for Search-UnifiedAuditLog

Hi,   Disclaimer: I am new to PowerShell, hence why I turn here for your input.   Background: I'm creating a Power BI dashboard based on data exported from the O365 Audit Log. For the moment, I'...
Search-UnifiedAuditLog
  • Pontus T's avatar
    Pontus T
    Apr 28, 2017

    NarasimaPerumal Chandramohan thanks for pointing me in the right direction. I managed to solve it by using SessionID and SessionCommand. All I needed was a while loop that kept running until the variable taking the audit data returned null, and keep appending the export file in every loop run.

TonyRedmond's avatar
TonyRedmond
MVP
Jul 20, 2017

One thing that strikes me about searching the audit log with PowerShell is that unless you are very careful with the search criteria, you're going to see a heap of data that you might not want to process. There are now so many workloads providing audit records to the data mart that you might be flooded with records you don't expect... So make sure that your search parameters are tuned to request data for the operations you want to examine in the period you need to see...

Pontus T's avatar
Pontus T
Iron Contributor
Jul 20, 2017

TonyRedmond fully agree, especially if you have a large tenant / many users. I set my search date interval to 24 hours and have about 200 licensed users, and I am getting around 3000-4000 rows per day (or about 1.5 mb data). However, a majority of the records are associated with a services account crawling the tenant for daily backup. Additionally, we are only using Office 365 for SharePoint, so no Exchange, OneDrive or other service that would push the number of returned records to a whole new level.

  • TonyRedmond's avatar
    TonyRedmond
    MVP
    Apr 18, 2018

    SiteIds absolutely does work, but as you indicate, the problem is to find the GUID for the site. If you have an audit record for an action performed in the site, you can find it in the "more information" details for the record. You can then do something like:

     

    PS C:\> Search-UnifiedAuditLog -SiteIds acfe74d8-edfb-436d-924b-e018666605ee -StartDate 1-dec-2017 -EndDate 18-apr-2018 | ft creat
iondate, userids, operations
  • Chris Jackson's avatar
    Chris Jackson
    Copper Contributor
    Apr 18, 2018

    I believe the SiteIds parameter does work, you just need to use the Site GUID (which you can obtain from the Audit Log Search in the Security and Compliance Center).

  • Akhilesh Nirapure's avatar
    Akhilesh Nirapure
    Copper Contributor
    Dec 28, 2017
    The SiteIds parameter doesn't work, i tried passing in WebId, Site but i get error

    The Site Id search is not yet supported.
    + CategoryInfo : InvalidArgument: (:) [Search-UnifiedAuditLog], NotSupportedException
    + FullyQualifiedErrorId : [Server=VI1P191MB0240,RequestId=800fa919-711b-47ee-9915-699b8684a804,TimeStamp=28/12/2017 11:30:37] [FailureCategory=Cmdlet-NotSupportedException] 518C5EC4,Microsoft.Exchange.Management.SystemConfigurationTasks.Searc
    hUnifiedAuditLog
    + PSComputerName : outlook.office365.com
  • Rajiv Chokshi's avatar
    Rajiv Chokshi
    Icon for Microsoft rankMicrosoft
    Jul 21, 2017

    Thanks, I will try again using your tips. Appreciate your help.

  • Pontus T's avatar
    Pontus T
    Iron Contributor
    Jul 20, 2017

    Rajiv Chokshi refering to the Technet article that I linked in the end of my answer; You can use the "Operation" parameter to define the specific activities that you are looking for, but I would probably recommend you try querying all of them first and then review and select the ones you care about. 

     

    Using the "RecordType" parameter, I see that you can also filter the search to for example include things like:

    • SharePointFileOperation

    • SharePointSharingOperation

    The same with the site collection filter. I do not know directly which parameter that works best for this. As you can see you have one called "SiteIds" which could work, but I'm not sure that the ID stays the same for all sites or sub sites of a site collection. Maybe it would be better to use "ObjectIds" which is queried as string and returns the object as a URL. So defining the site collection url + a wildcard characters should hopefully work. Something like:

     

     

    SiteIds https://contoso.sharepoint.com/sites/sitecollectionname*

     

    Hope this helps!

     

     

  • Rajiv Chokshi's avatar
    Rajiv Chokshi
    Icon for Microsoft rankMicrosoft
    Jul 20, 2017

    My needs are specifc to SharePoint online. Using the GUI, I am able to get below 5 different reports and I am working on figuring out the correct PowerShell parameters to use and combine all 5 using the append option to get EVERYTHING that happened on a SINGLE site collection into one report.

     

    File and page activities
    Folder activities
    Sharing and access request activities
    Synchronization activities
    Site administration activities

  • TonyRedmond's avatar
    TonyRedmond
    MVP
    Jul 20, 2017

    Given what I see for Exchange Online events, if you added them into the mix and add some compliance like Office 365 retention policies, you might double the data you gather daily...

Resources