hawk icon indicating copy to clipboard operation
hawk copied to clipboard
verified publisher icon T0pCyber

Bug: Search-UnifiedAuditLog unable to gather more than 50,000 items

Open waybaker opened this issue 7 months ago • 4 comments

What happened?

Once the scan hits 50,000 items, it is unable to proceed any further and just loops with the same message:

[2025-05-29 21:14:42Z] - [INFO] - Retrieved:45605 Total: 83348 [2025-05-29 21:15:24Z] - [INFO] - Retrieved:45605 Total: 83348 [2025-05-29 21:16:07Z] - [INFO] - Retrieved:45605 Total: 83348 [2025-05-29 21:16:47Z] - [INFO] - Retrieved:45605 Total: 83348 [2025-05-29 21:17:28Z] - [INFO] - Retrieved:45605 Total: 83348 [2025-05-29 21:18:08Z] - [INFO] - Retrieved:45605 Total: 83348 [2025-05-29 21:18:49Z] - [INFO] - Retrieved:50000 Total: 83348 [2025-05-29 21:18:51Z] - [INFO] - Retrieved:50000 Total: 83348 [2025-05-29 21:18:53Z] - [INFO] - Retrieved:50000 Total: 83348 [2025-05-29 21:18:54Z] - [INFO] - Retrieved:50000 Total: 83348 [2025-05-29 21:18:56Z] - [INFO] - Retrieved:50000 Total: 83348 [2025-05-29 21:18:57Z] - [INFO] - Retrieved:50000 Total: 83348 [2025-05-29 21:18:59Z] - [INFO] - Retrieved:50000 Total: 83348 [2025-05-29 21:19:00Z] - [INFO] - Retrieved:50000 Total: 83348 [2025-05-29 21:19:02Z] - [INFO] - Retrieved:50000 Total: 83348 [2025-05-29 21:19:03Z] - [INFO] - Retrieved:50000 Total: 83348 [2025-05-29 21:19:05Z] - [INFO] - Retrieved:50000 Total: 83348 [2025-05-29 21:19:07Z] - [INFO] - Retrieved:50000 Total: 83348

I left this to run overnight, and it never completed. It is still showing the same thing.

Steps to Reproduce

Command used: Start-HawkUserInvestigation -UserPrincipalName [email protected] -StartDate '04/01/2025' -EndDate '05/29/2025' -FilePath 'c:\subfolder' -SkipUpdate

Hawk Version

Latest - Installed 5/29/2025 (4.0)

Technical Analysis

No response

Implementation Plan

No response

Acceptance Criteria

No response

waybaker avatar May 30 '25 16:05 waybaker

I'm having the same trouble. Doesn't seem to matter what date range I use (down to a single day), the UAL total is always the same and always well over 50,000.

nextechinc avatar Jun 11 '25 19:06 nextechinc

Can you provide a screenshot of the log? What subfunction is the Tenant Investigation hanging up on? Sorry this is happening, we may have missed some tenant size constraints and need to update accordingly.

T0pCyber avatar Jun 11 '25 19:06 T0pCyber

This was with command: Start-HawkUserInvestigation -UserPrincipalName [email protected] -DaysToLookBack 5 -FilePath .\

The screenshots are a little incongruent because I'd terminate the command shortly after seeing the Total over 50000, on subsequent attempts.

Image

Image

nextechinc avatar Jun 11 '25 19:06 nextechinc

Any update to this?

waybaker avatar Jul 11 '25 17:07 waybaker