Search-UnifiedAuditLog
4 TopicsHelp with parameter for Search-UnifiedAuditLog
Hi, Disclaimer: I am new to PowerShell, hence why I turn here for your input. Background: I'm creating a Power BI dashboard based on data exported from the O365 Audit Log. For the moment, I'm not using the recently launched API, but a daily scheduled PowerShell script to export the data. Everything works fine with one exception: Issue: The maximum number of objects that can be returned in one query is 5000 (see article for details). We have a fairly small tenant, so I have divided the cmdlet to run twice to cover 24h (AM+PM), that gives us 10k rows which usually is enough. Now the exception is when we run SharePoint backups via Metalogix. The operation is of course walking through every single file which results in logs well above 10k rows. Solution? What I want to achieve is to exclude the user account associated with the backup operation, to only return "relevant" objects/events. I was hoping to archive this by using the parameters provided in the cmdlet, but with my limited knowledge I can't figure it out. I can pass user ID's to include, but would this also allow me to exclude by user ID? If so, how? I can always divide the cmdlet to run more than twice per 24h, allowing more objects to be returned, but I hope there is a better solution to this. https://technet.microsoft.com/en-us/library/mt238501%28v=exchg.160%29.aspx?f=255&MSPPError=-2147217396 Many thanks!Solved31KViews0likes24Comments
Stream Audit Log - Script to check who viewed/liked a video returns the same element multiple times
Hello everyone, I have been asked to find out who viewed/liked a specific video in Microsoft Stream. I am using the following script to get the first info (for the second I replace the StreamInvokeVideoView with StreamInvokeVideoLike): $StartDate = (Get-Date).AddDays(-30) $EndDate = (Get-Date) $Viewers = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -RecordType MicrosoftStream -Operations StreamInvokeVideoView -ObjectIds "VIDEOLINK" -ResultSize 500 | Sort-Object CreationDate $ConvertAudit = $Viewers | Select-Object -ExpandProperty AuditData | ConvertFrom-Json $ConvertAudit | Select-Object CreationTime, ResourceTitle, UserId, ClientIP, Operation, Workload, ResultStatus The issue I am having is that when I check the $Viewers and the $ConvertAudit variables, I have several repeated elements (e.g. I see the same user with the same creationdate and the same auditdata repeated almost 100 times). What am I doing wrong? I will then export the results to a csv or xlsx file. Any help would be greatly appreciated! Many thanks in advance! FrancescoSolved1.3KViews0likes2Comments
PowerShell 2 - Need commandlet Search-UnifiedAuditLog
Disclaimer - LimitedPowershell experience and new to the community We've developed a script that runs on our local machines that pull O365 audit logs using the commandlet Search-UnifiedAuditLog Our local machines have: Windows 10 64 bit with Powershell 5and.NET Framework4.6 Wenow need to get the script to run on an older production server. The server is runningWindows 7 SP1 64 bit with Powershell 2 and .NET Framework4.5.2 I need to provide precise instructions on what steps need to be taken in order to make this possible since this commandlet Search-UnifiedAuditLog is not currently available on the server. Unfortunately the documentation I can find on this commandlet does not tell me exactly what I would need to do to make this happen. Is it as simple as upgrading to a newer version of Powershell? Is there a specific module I can add that would work in PS 2? https://technet.microsoft.com/en-us/library/mt238501(v=exchg.160).aspx I'm researching but any advice / suggestionsare welcomeSolved8.9KViews0likes3Comments
