rye

This took way way too much work. Still testing it but I think we finally have a way to truly audit the Microsoft Unified Audit Log.

Microsoft's Search-UnifiedAuditLog -SessionCommand ReturnLargeSet can't be trusted to return the same data twice. Each session hands back some random slice of the results and reports it as the full set. Sometimes it'll tell you a busy day had zero events. And when it throttles, it doesn't throw an error. It buries a warning in the output, which sails right past any retry logic that's only watching for failures.
We worked around all of this. Empty result windows get treated as suspect, so we re-probe before accepting them and moving on. We parse out the throttle warnings and turn them into actual retries. And we run several passes over the same time range, staggered apart, then merge the results and dedupe on record ID, repeating until the count stops changing.

#microsoft #powershell #Search-UnifiedAuditLog #audit #assessment #scripting #customtooling

Jun 17 at 5:53pmWeb
Show threadrye3d ago
This - this is that bullshit! It took THREE calls for the cmdlet to come back with "Oh yeah, there is data..."