Share this page!

Enter Twitter Thread URL to Unroll

Needs to be the full URL like: https://twitter.com/threadreaderapp/status/1644127596119195649

How to get URL link on Twitter App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Frank Lesniak Profile picture
@FrankLesniak
Jun 2 13 tweets 4 min read Twitter logo Read on Twitter
OK, so there is definitely a problem with the Search-UnifiedAuditLog cmdlet in #Microsoft365. Confirmed this in multiple tenants - here's what I'm seeing: 🧵

#threathunting #threathunt #auditlogs #M365 #Office365 #O365 #M365Security
First, go to security.microsoft.com -> Audit and perform a new search for all events in a given timeframe (a few hours, total). Have this available for reference.
Next, open PowerShell and connect to Exchange Online:

Connect-ExchangeOnline

You ran a search in the Defender portal with a date range of a few hours. Within that same timeframe, pick an even smaller date/time range that has < 100 events. You'll need those timestamps next.
Run this command:
$strSessionID = ([guid]::NewGuid()).Guid

Next, run this command:
$output = @(Search-UnifiedAuditLog -StartDate ([datetime]'04/08/2023 05:47:54') -EndDate ([datetime]'04/08/2023 06:06:13') -SessionId $strSessionID -ResultSize 100)

(modify the timestamps)
When you run:
$output.Count
you will get 0 results even though you've validated that there are events in this timeframe!

But wait, there's more...
Refer to the original date/time range that you queried in the Defender portal - but this time, pick a subset of the date/time range that has more than 100 events but less than 1000. Between 100 and 200 events is ideal. You'll use this date/time range in the next step.
Determine how many queries you need.

For example, if you have 650 events in this timeframe, and we are running 100 events per query, then you need 7 queries.
Got it? OK, now run:

$strSessionID = ([guid]::NewGuid()).Guid

and then:

$output = @(Search-UnifiedAuditLog -StartDate ([datetime]'04/08/2023 05:47:54') -EndDate ([datetime]'04/08/2023 06:06:13') -SessionId $strSessionID -ResultSize 100)

(update the date/times)
This time, $output.Count will be 100! Yay!

Re-run the Search-UnifiedAuditLog cmdlet (repeat the exact same command), and it will continue to return 100 results up until and including the second-to-last query for the given number of events....
Now run the last query (remember the example I gave of 650 events? This would be query number 7).

In my example, when you run $output.Count, you should expect to see 50 results, right?

Well, the same bug is back. The last page of results always returns 0 events. What the heck?
If anyone in my network has contacts at Microsoft that work on security products, please help me out and @ them 🙏🏻

My team is helping a client with an active security incident, and this issue is impeding our timely extraction of historical events.
Quick note: I didn't explicitly convert timestamps to UTC in my example above, so make sure you do that -- in any case, the issue still stands.

# of results <= page size ➡️ no results returned

# of results > page size ➡️ results returned for each page except for last page
@UnrollHelper please unroll

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Frank Lesniak

Frank Lesniak Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @FrankLesniak

Frank Lesniak Profile picture
May 13, 2021
I think a 40" 5K2K monitor is about as perfect as you can get for a regular desk setup.

I know this pushes graphics performance/bandwidth to the limit, and these displays don't go north of 60 Hz - I'm putting those things aside.
If you were to take a 40" 5K2K monitor and superimpose a 4K monitor over it of the exact same height, the 4K monitor would be 32" diagonal.
That makes the ideal viewing distance for someone with 20/20 vision 25.08 inches. Just about perfect.
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

:(