question

BenStobbs-3834 avatar image
0 Votes"
BenStobbs-3834 asked MayankBargali-MSFT edited

Programatically Retrieve all Unified Audit Logs

Hi there,

I am attempting to develop a script to programmatically retrieve and process all logs available from the Office 365 Unified Audit Logs for the purpose of forensic investigation following breaches. I have tried the following options, with no success:

  • Microsoft 365 Management API - This contains the correct data, but is of limited usefulness for forensic investigations due to the short 7 day retention period.

  • Microsoft Graph - This does not contain all the relevant data - you cannot access the Unified Audit Logs directly through Graph, and the usage reports do not cover all items contained in the Audit Logs (e.g. Exchange actions).

  • Search-UnifiedAuditLog on Exchange PowerShell - Microsoft themselves recommend not to use this programmatically, and I've experienced extremely unreliable results and unmanageable rate-limiting when trying to do so.

So is there something I'm missing here, or is there no way to programmatically retrieve all items from the Unified Audit Logs for the entire retention period? (generally 90 days).



not-supported
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers