CODEWITHSUNDEEP
microsoft-graph-apimicrosoft-graph-sdks
Nuno Mota
Nuno Mota

Reputation: 33

Get-MgAuditLogDirectoryAudit - unable to search/filter by date/time

I am trying to use PowerShell and the Get-MgAuditLogDirectoryAudit cmdlet to monitor certain events, such as the following:

Get-MgAuditLogDirectoryAudit -Filter "LoggedByService eq 'PIM'" | Select -First 1 | FL

ActivityDateTime     : 17/06/2022 08:54:10
ActivityDisplayName  : Remove member from role (PIM activation expired)
AdditionalDetails    : {RoleDefinitionOriginId, RoleDefinitionOriginType, TemplateId, Metadata}
Category             : RoleManagement
CorrelationId        : f998b539-74cc-4e27-9c33-800ddda42018
Id                   : PIM_f998b539-74cc-4e27-9c33-800ddda42018_0CH8K_7752548
InitiatedBy          : Microsoft.Graph.PowerShell.Models.MicrosoftGraphAuditActivityInitiator
LoggedByService      : PIM
OperationType        : RemoveActivatedRole
Result               : success
ResultReason         :
TargetResources      : {c4e39ds9-1100-34d3-8c65-fb160da0071f, 2ZgtrAAR00aMZfsWDaAHH-5TcmutkjtCiF12YUIjO4s-1, f7ddc610-e91d-4…}
AdditionalProperties : {}

However, I need to retrieve certain log entries that happened in the last x hours, but no matter how I try to filter on ActivityDateTime, I always get the following error (I've tried all possible combinations and formats!): Get-MgAuditLogDirectoryAudit_List1: Invalid filter clause

If ActivityDateTime is not supported as a filter parameter, how can we search log entries after a certain date or within a certain timeframe? Thank you!

Best regards, Nuno

Upvotes: 1

Views: 2143

Answers (1)

user2250152
user2250152

Reputation: 20778

According this activityDateTime attribute supports eq, ge, le operators

The query should look like this

GET /auditLogs/directoryAudits?&$filter=activityDateTime le 2022-06-15
GET /auditLogs/directoryAudits?&$filter=activityDateTime ge 2022-06-15

PowerShell

Get-MgAuditLogDirectoryAudit -Filter "activityDateTime+le+2022-06-15"
Get-MgAuditLogDirectoryAudit -Filter "activityDateTime+ge+2022-06-15"

Including time

GET /auditLogs/directoryAudits?&$filter=activityDateTime le 2022-06-15T21:20:02.7215374Z
GET /auditLogs/directoryAudits?&$filter=activityDateTime ge 2022-06-15T00:00:00.0000000Z

PowerShell

Get-MgAuditLogDirectoryAudit -Filter "activityDateTime+le+2022-06-15T21:20:02.7215374Z"
Get-MgAuditLogDirectoryAudit -Filter "activityDateTime+ge+2022-06-15T00:00:00.0000000Z"

Upvotes: 0

Related Questions