CODEWITHSUNDEEP
microsoft-graph-api
KenB
KenB

Reputation: 11

Graph "beta" filtering for date time from audit logs not working (returns all data)

Using the graph explorer, I'm trying to limit (time box) the number of entries being returned. This is so I can extract the data from Azure to upload into our SIEM portal. I am getting the data back (10's of thousands of datapoints) - but I need to time box them.

This works as a query (both in graph explorer and from powershell) - but the results are not in the time frame requested. I've tried different time formats (including down to the second) and they don't limit the results.

It seems like it isn't going deeper into the data structure for the filter to operate on.

Any suggestions on the filter or a different approach (without accepting all the data each query and doing a post-results filter)?

Note: I also tried the activityDateTime prefix with value/ and value\ (reading from a different article I found) - so value/activityDateTime and value\activityDateTime - no different results (no errors either)

This is the 'get' from graph explorer (beta selected) https://graph.microsoft.com/beta/auditLogs/directoryAudits?=activityDateTime ge 2018-07-16T15:48:00 and activityDateTime lt 2018-07-16T15:58:00

returned this (only partially results, guid/hex strings were removed) - you'll notice that the activityDateTime returned below is not >= and < the date/time passed in the query

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#auditLogs/directoryAudits",
    "@odata.nextLink": "https://graph.microsoft.com/beta/auditLogs/directoryAudits?=value%2factivityDateTime+ge+2018-07-16T15%3a48%3a00+and+value%2factivityDateTime+lt+2018-07-16T15%3a58%3a00&$skiptoken=[hex string removed]_1000",
    "value": [
        {
            "id": "Directory_[hex string removed]",
            "category": "Core Directory",
            "correlationId": "[GUID removed]",
            "result": "success",
            "resultReason": "",
            "activityDisplayName": "Update group",
            **"activityDateTime": "2018-07-18T14:30:44.6046176Z"**,
            "loggedByService": "AzureAD",
            "initiatedBy": {
                "user": null,
                "app": null
            },
            "targetResources": [
                {
                    "@odata.type": "#microsoft.graph.targetResourceGroup",

[rest of data returned 1000 total removed]

Upvotes: 1

Views: 1888

Answers (1)

Marc LaFleur
Marc LaFleur

Reputation: 33114

You need to specify the parameter name. Otherwise, the API has no way of knowing what operation you want (select, orderby, filter). In this case, you want to $filter like this: $filter=activityDateTime ge 2018-07-16T15:48:00Z and activityDateTime lt 2018-07-16T15:58:00Z.

https://graph.microsoft.com/beta/auditLogs/directoryAudits?$filter=activityDateTime ge 2018-07-16T15:48:00Z and activityDateTime lt 2018-07-16T15:58:00Z

Upvotes: 2

Related Questions