GithubHelp home page GithubHelp logo

Comments (2)

Canthv0 avatar Canthv0 commented on July 23, 2024

If you could provide the logs from a run that didn't generate the converted file that would assist in being able to determine what is failing.

from hawk.

Absoblogginlutely avatar Absoblogginlutely commented on July 23, 2024

So I actually have an audit that ran for a user over the time period of 4/16/2019 thru 8/15/2019 that did not generate any logs.
I also happen to have another audit for the same user that ran for the time period of 8/4/2019 thru 8/15/2019 (a subset of the above) and this did generate an audit log.
It appears that the first search across a large time set generated no results, yet the results for the past 11 days did generate results.
Looking at log files and rerunning the command,from the logs i get the following.
$a=Search-UnifiedAuditLog -UserIDs [email protected] -RecordType ExchangeItem -StartDate '05/30/2019 00:00:00' -EndDate '08/15/2019 00:00:00'
Audit log search argument startDate should be after 5/30/2019 8:58:55 PM UTC.
+ CategoryInfo : InvalidArgument: (:) [Search-UnifiedAuditLog], ArgumentException

Changing the start date to 5/31 I then get
$a=Search-UnifiedAuditLog -UserIDs [email protected] -RecordType ExchangeItem -StartDate '05/31/2019 00:00:00' -EndDate '08/15/2019 00:00:00'
$a.count
100
(100 because I didn't specify the data size.
So it looks like the logs are not returned if the start date is too soon.It looks like this is because the start date is more than 90 days ago and that is the max number that is available with an E3 licence.
Therefore the start date field should default to (get-date).adddays(-90)

Sanitized section of the log below - let me know if you need different logs.
[8/14/2019 9:21:40 AM] - [ACTION] - Retrieving Logon History for [email protected]
[8/14/2019 9:21:40 AM] - Searching Unified Audit log for Records of type: AzureActiveDirectoryAccountLogon
[8/14/2019 9:21:40 AM] - Running Unified Audit Log Search
[8/14/2019 9:21:40 AM] - Search-UnifiedAuditLog -UserIds [email protected] -RecordType AzureActiveDirectoryAccountLogon -StartDate '04/16/2019 00:00:00' -EndDate '08/15/2019 00:00:00' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 092140
[8/14/2019 9:21:44 AM] - [WARNING] - Unified Audit log returned no results.
[8/14/2019 9:21:44 AM] - Searching Unified Audit log for Records of type: AzureActiveDirectory
[8/14/2019 9:21:44 AM] - Running Unified Audit Log Search
[8/14/2019 9:21:44 AM] - Search-UnifiedAuditLog -UserIds [email protected] -RecordType AzureActiveDirectory -StartDate '04/16/2019 00:00:00' -EndDate '08/15/2019 00:00:00' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 092144
[8/14/2019 9:21:47 AM] - [WARNING] - Unified Audit log returned no results.
[8/14/2019 9:21:47 AM] - Searching Unified Audit log for Records of type: AzureActiveDirectoryStsLogon
[8/14/2019 9:21:47 AM] - Running Unified Audit Log Search
[8/14/2019 9:21:47 AM] - Search-UnifiedAuditLog -UserIds [email protected] -RecordType AzureActiveDirectoryStsLogon -StartDate '04/16/2019 00:00:00' -EndDate '08/15/2019 00:00:00' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 092147
[8/14/2019 9:21:49 AM] - [WARNING] - Unified Audit log returned no results.
[8/14/2019 9:21:50 AM] - [ERROR] - No results found when searching UAL for AzureActiveDirectoryAccountLogon events
[8/14/2019 9:21:51 AM] - [ACTION] - Attempting to Gather Mailbox Audit logs [email protected]
[8/14/2019 9:21:52 AM] - Mailbox Auditing is enabled.
[8/14/2019 9:21:52 AM] - Searching Unified Audit Log for Exchange Related Events
[8/14/2019 9:21:52 AM] - Running Unified Audit Log Search
[8/14/2019 9:21:52 AM] - Search-UnifiedAuditLog -UserIDs [email protected] -RecordType ExchangeItem -StartDate '04/16/2019 00:00:00' -EndDate '08/15/2019 00:00:00' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 092152
[8/14/2019 9:21:55 AM] - [WARNING] - Unified Audit log returned no results.
[8/14/2019 9:21:55 AM] - Found 0 Exchange audit records.
[8/14/2019 9:21:55 AM] - No Data Found

logs generated
[8/14/2019 10:00:35 AM] - [ACTION] - Retrieving Logon History for [email protected]
[8/14/2019 10:00:36 AM] - Searching Unified Audit log for Records of type: AzureActiveDirectoryAccountLogon
[8/14/2019 10:00:36 AM] - Running Unified Audit Log Search
[8/14/2019 10:00:36 AM] - Search-UnifiedAuditLog -UserIds [email protected] -RecordType AzureActiveDirectoryAccountLogon -StartDate '08/04/2019 00:00:00' -EndDate '08/15/2019 00:00:00' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 100036
[8/14/2019 10:00:43 AM] - [WARNING] - Unified Audit log returned no results.
[8/14/2019 10:00:43 AM] - Searching Unified Audit log for Records of type: AzureActiveDirectory
[8/14/2019 10:00:43 AM] - Running Unified Audit Log Search
[8/14/2019 10:00:43 AM] - Search-UnifiedAuditLog -UserIds [email protected] -RecordType AzureActiveDirectory -StartDate '08/04/2019 00:00:00' -EndDate '08/15/2019 00:00:00' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 100043
[8/14/2019 10:00:46 AM] - [WARNING] - Unified Audit log returned no results.
[8/14/2019 10:00:46 AM] - Searching Unified Audit log for Records of type: AzureActiveDirectoryStsLogon
[8/14/2019 10:00:46 AM] - Running Unified Audit Log Search
[8/14/2019 10:00:46 AM] - Search-UnifiedAuditLog -UserIds [email protected] -RecordType AzureActiveDirectoryStsLogon -StartDate '08/04/2019 00:00:00' -EndDate '08/15/2019 00:00:00' -SessionCommand ReturnLargeSet -resultsize 1000 -sessionid 100046
[8/14/2019 10:01:07 AM] - Retrieved all results.
[8/14/2019 10:01:07 AM] - Retrieved:648 Total: 648
[8/14/2019 10:01:07 AM] - Converting AuditData
[8/14/2019 10:01:08 AM] - [ERROR] - 0 Entries failed JSON Conversion
[8/14/2019 10:01:08 AM] - No Data Found
[8/14/2019 10:01:08 AM] - Reading file C:\Users\ahelsby\AppData\Local\Hawk\Hawk.json
[8/14/2019 10:01:08 AM] - Building MSFTIPList
[8/14/2019 10:01:08 AM] - Loading Networking functions from C:\Program Files\WindowsPowerShell\Modules\hawk\1.10.1\System.Net.IPNetwork.dll
[8/14/2019 10:01:32 AM] - Found 0 unique MSFT IPv6 address ranges
[8/14/2019 10:01:32 AM] - Found 0 unique MSFT IPv4 address ranges
[8/14/2019 10:01:32 AM] - Creating global variable $MSFTIPList
[8/14/2019 10:02:50 AM] - Converting to Human Readable
[8/14/2019 10:03:07 AM] - Writing Data to c:\temp\hawk\naht\20190814_0959\[email protected]\[email protected]
[8/14/2019 10:03:07 AM] - Writing Data to c:\temp\hawk\naht\20190814_0959\[email protected]\[email protected]

from hawk.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.