Need to deal with the 50k Item limit #22

Canthv0 · 2019-08-28T16:58:20Z

Search-UnifiedAuditLog will only return 50k items. If the search gets back >50k items we have two issues:

How do we get all of the items back and not just the 50K
Right now the return gets stuck in a loop and will keep trying to get back the 50k

davidrudduck · 2019-09-01T22:14:17Z

Could you use something like the example script at this url (https://blogs.msdn.microsoft.com/tehnoonr/2018/01/26/retrieving-office-365-audit-data-using-powershell/) to pull down the Unified Audit Log in 15 minute chunks?

Or start with 60 minute chunks and if the query produces > 5,000 results reduce the time slice further to help optimise the pull.

I hacked at the above script and managed to pull down 1.2GB worth of Unified Audit Log for a tenancy before it finally crapped out.

T0pCyber · 2021-04-15T15:37:00Z

Does Robust Cloud Command help against this restriction?

T0pCyber added this to To do in Community Contributions Feb 20, 2021

T0pCyber added the Enhancement New feature or request label Apr 15, 2021

blade3 mentioned this issue Oct 3, 2023

[FIX] 50k limit in UnifiedAuditLog. looping by days if limit is reached #111

Open

12 tasks

Provide feedback