hawk icon indicating copy to clipboard operation
hawk copied to clipboard
verified publisher icon T0pCyber

Need to deal with the 50k Item limit

Open Canthv0 opened this issue 6 years ago • 2 comments

Search-UnifiedAuditLog will only return 50k items. If the search gets back >50k items we have two issues:

  1. How do we get all of the items back and not just the 50K
  2. Right now the return gets stuck in a loop and will keep trying to get back the 50k

Canthv0 avatar Aug 28 '19 16:08 Canthv0

Could you use something like the example script at this url (https://blogs.msdn.microsoft.com/tehnoonr/2018/01/26/retrieving-office-365-audit-data-using-powershell/) to pull down the Unified Audit Log in 15 minute chunks?

Or start with 60 minute chunks and if the query produces > 5,000 results reduce the time slice further to help optimise the pull.

I hacked at the above script and managed to pull down 1.2GB worth of Unified Audit Log for a tenancy before it finally crapped out.

davidrudduck avatar Sep 01 '19 22:09 davidrudduck

Does Robust Cloud Command help against this restriction?

T0pCyber avatar Apr 15 '21 15:04 T0pCyber