Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FIX] 50k limit in UnifiedAuditLog. looping by days if limit is reached #111

Open
wants to merge 3 commits into
base: Development
Choose a base branch
from
Open

[FIX] 50k limit in UnifiedAuditLog. looping by days if limit is reached #111

wants to merge 3 commits into from

Conversation

blade3
Copy link

@blade3 blade3 commented Oct 3, 2023
edited

Pull Request Template

Description

  • Factorization code for Hawk/internal/functions/Get-AllUnifiedAuditLogEntry.ps1
  • If $Output[-1].ResultCount equal or is greater than 50k, the command will be split by days.

Fixes #22 (issue)

Type of change

  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

How Has This Been Tested?

  • Uses the Start-HawkUserInvestigation user@email.com which having more than 50 0000 Unified Audit Logs.
  • If it's not possible to trigger the first test, you can replace line 119 with a smaller value to trigger try/catch.

Checklist:

  • My code follows the style guidelines of Hawk
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules
  • I have checked my code and corrected any misspellings

T0pCyber and others added 3 commits March 30, 2023 13:03
@T0pCyber
Merge pull request T0pCyber#102 from T0pCyber/Development
df2208d 
## 3.1.0 (2023-03-30)
a. Updated community pull requests fixing typo
b. Updated Get-HawkTenantAuditLog.ps1 to Get-HawkTenantAppAuditLog.ps1
c. Added "Get-HawkTenantDomainActivity" function - This function will pull domain config changes from the UAL
d. Added "Get-HawkTenantEDiscoveryLogs" function - This function will pull EDiscovery logs from the UAL
e. Added Export of JSON to "Out-Multifileype" function. This will export returned results to JSON file for further ingestion into a SIEM or other data analysis platform
f. Remove MSOnline requirements
g. Added MS Graph requirements to replace MSOnline
h. Fixed path for System.Net.IPNetwork.dll
[FIX] 50k items limit in UnifiedAuditLog. looping by days if limit is…
d9e2e14 
… reached.
fix indentation
4876291
@T0pCyber
Copy link
Owner

T0pCyber commented Oct 3, 2023

Will add to DevBranch and test with other additional changes in development. Thanks for this. :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@blade3 @T0pCyber