question

CybP-8776 avatar image
0 Votes"
CybP-8776 asked David-Barrett edited

How to list Exchange audit content between datest using Office 365 Management API?

Hi,

I try to list Exchange audit content between datest using Office 365 Management API.
I prepare request like this

/api/v1.0/{tenat}/activity/feed/subscriptions/content?contentType=Audit.Exchange&PublisherIdentifier={tenat}&startTime=2021-09-09T10:31:58&endTime=2021-09-09T10:32:58


But every time I get the same list of contents with contentCreated< than startTime.
If no any events I get the same list of contents, but if I have an amount of exchange events, returned content list is changed but contentCreated < that startTime.

From my point of view I should get content only with contentCreated >= than startTime or nothing.

Why I getting the content with contentCreated less that startTime?

office-exchange-server-dev
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

David-Barrett avatar image
0 Votes"
David-Barrett answered David-Barrett edited

You can't use the Office 365 Management API to search for audit data. You can only use the management API to collect your audit logs. You would then search those logs offline (e.g. you could import the logs into an SIEM and search in that).

Docs are here: https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview

To clarify, the start and end time refer to the times that the audit events were made available to the management API. They are not the times of the events.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.