none
UnifiedAuditLog result truncated RRS feed

  • Question

  • Hi team,

                I am currently using UnifiedAuditLog of office365 to audit my office365 environment.I am using unified audit log by powershell command lets.While getting logs from office365 environment result are truncated so i cannot able to understand my environment.I don't know why i am getting truncated result in my environment.Kindly assist me to get full log from office365.

    Details :

    API Used : https://docs.microsoft.com/en-us/powershell/module/exchange/policy-and-compliance-audit/Search-UnifiedAuditLog?view=exchange-ps

    Sample event:

    RecordType   : AzureActiveDirectory
    CreationDate : 12/20/2018 10:50:25 AM
    UserIds      : syncuser@mydomain.onmicrosoft.com
    Operations   : Add user.
    AuditData    : {"CreationTime":"2018-12-20T10:50:25","Id":"50e29035-2420-430e-9238-02c52fb29fb7","Operation":"Add user.","OrganizationId":"3bd72c4a-ee08-4791-9c0f-544b2a1a0804","RecordType
                   ":8,"ResultStatus":"Success","UserKey":"10030000A5905C22@mydomain.onmicrosoft.com","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"<null>",
                   "ObjectId":"d@mydomain.com","UserId":"syncuser@mydomain.onmicrosoft.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ac
                   torContextId","Value":"3bd72c4a-ee08-4791-9c0f-544b2a1a0804"},{"Name":"actorObjectId","Value":"d0c913b2-301f-43c6-8901-f66f1f992c62"},{"Name":"actorObjectClass","Value":"Use
                   r"},{"Name":"actorUPN","Value":"syncuser@mydomain.onmicrosoft.com"},{"Name":"actorPUID","Value":"10030000A5905C22"},{"Name":"teamName","Value":
                   "MSODS."},{"Name":"targetContextId","Value":"3bd72c4a-ee08-4791-9c0f-544b2a1a0804"},{"Name":"targetObjectId","Value":"eef5b34e-ee1e-4d55-91a2-4b17f35e588e"},{"Name":"extende
                   dAuditEventCategory","Value":"User"},{"Name":"targetUPN","Value":"d@mydomain.com"},{"Name":"targetPUID","Value":"10032000351576F8"},{"Name":"targetIncludedUpdatedProperti
                   es","Value":"[\"AccountEnabled\",\"LastDirSyncTime\",\"SourceAnchor\",\"StsRefreshTokensValidFrom\",\"UserPrincipalName\",\"UserType\",\"Action Client Name\"]"},{"Name":"tar
                   getUpdatedProperties","Value":"[{\"Name\":\"AccountEnabled\",\"OldValue\":[],\"NewValue\":[true]},{\"Name\":\"LastDirSyncTime\",\"OldValue\":[],\"NewValue\":[\"2018-12-20T02
                   :50:25Z\"]},{\"Name\":\"SourceAnchor\",\"OldValue\":[],\"NewValue\":[\"0z5j09ofe0yaCZRYGsN9\/A==\"]},{\"Name\":\"StsRefreshTokensValidFrom\",\"OldValue\":[],\"NewValue\":[\"
                   2018-12-20T10:19:02Z\"]},{\"Name\":\"UserPrincipalName\",\"OldValue\":[],\"NewValue\":[\"d@mydomain.com\"]},{\"Name\":\"UserType\",\"OldValue\":[],\"NewValue\":[\"Member\
                   "]},{\"Name\":\"Included Updated Properties\",\"OldValue\":null,\"NewValue\":\"AccountEnable..."},{"Name":"correlationId","Value":"7e263f8f-b1c3-406b-a857-e3c1a6a70409"},{"N
                   ame":"version","Value":"2"},{"Name":"additionalDetails","Value":"{}"},{"Name":"resultType","Value":"Success"},{"Name":"auditEventCategory","Value":"UserManagement"},{"Name":
                   "nCloud","Value":"<null>"},{"Name":"env_ver","Value":"2.1"},{"Name":"env_name","Value":"#Ifx.AuditSchema#IfxMsods.AuditCommonEvent"},{"Name":"env_time","Value":"2018-12-20T1
                   0:50:25.3987830Z"},{"Name":"env_epoch","Value":"C7TXY"},{"Name":"env_seqNum","Value":"17535548"},{"Name":"env_popSample","Value":"0"},{"Name":"env_iKey","Value":"ikey"},{"Na
                   me":"env_flags","Value":"257"},{"Name":"env_cv","Value":"##00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000_00000000-0000-0000-0000-000000000000"},{
                   "Name":"env_os","Value":"<null>"},{"Name":"env_osVer","Value":"<null>"},{"Name":"env_appId","Value":"adminwebservice"},{"Name":"env_appVer","Value":"1.0.10672.0"},{"Name":"e
                   nv_cloud_ver","Value":"1.0"},{"Name":"env_cloud_name","Value":"MSO-BL2"},{"Name":"env_cloud_role","Value":"adminwebserv
    ResultIndex  : 11
    ResultCount  : 21
    Identity     : 50e29035-2420-430e-9238-02c52fb29fb7
    IsValid      : True
    ObjectState  : Unchanged

    Wednesday, January 9, 2019 12:18 PM

All replies