@@ -15,7 +15,7 @@ function Start-AuditLogOrchestrator {
1515 $TenantList = Get-Tenants - IncludeErrors
1616 # Round time down to nearest minute
1717 $Now = Get-Date
18- $StartTime = ($Now.AddSeconds (- $Now.Seconds )).AddHours( -1 )
18+ $StartTime = ($Now.AddSeconds (- $Now.Seconds )).Addh( -30 )
1919 $EndTime = $Now.AddSeconds (- $Now.Seconds )
2020
2121 if (($AuditLogSearches | Measure-Object ).Count -eq 0 ) {
@@ -41,51 +41,11 @@ function Start-AuditLogOrchestrator {
4141 $ServiceFilters = $Configuration | Select-Object - Property type | Sort-Object - Property type - Unique | ForEach-Object { $_.type.split (' .' 1 ] }
4242 try {
4343 $LogSearch = @ {
44- StartTime = $StartTime
45- EndTime = $EndTime
46- ServiceFilters = $ServiceFilters
47- TenantFilter = $Tenant.defaultDomainName
48- ProcessLogs = $true
49- RecordTypeFilters = @ (
50- ' exchangeAdmin' , ' azureActiveDirectory' , ' azureActiveDirectoryAccountLogon' , ' dataCenterSecurityCmdlet' ,
51- ' complianceDLPSharePoint' , ' complianceDLPExchange' , ' azureActiveDirectoryStsLogon' , ' skypeForBusinessPSTNUsage' ,
52- ' skypeForBusinessUsersBlocked' , ' securityComplianceCenterEOPCmdlet' , ' microsoftFlow' , ' aeD' , ' microsoftStream' ,
53- ' threatFinder' , ' project' , ' dataGovernance' , ' securityComplianceAlerts' , ' threatIntelligenceUrl' ,
54- ' securityComplianceInsights' , ' mipLabel' , ' workplaceAnalytics' , ' powerAppsApp' , ' powerAppsPlan' ,
55- ' threatIntelligenceAtpContent' , ' labelContentExplorer' , ' exchangeItemAggregated' , ' hygieneEvent' ,
56- ' dataInsightsRestApiAudit' , ' informationBarrierPolicyApplication' , ' microsoftTeamsAdmin' , ' hrSignal' ,
57- ' informationWorkerProtection' , ' campaign' , ' dlpEndpoint' , ' airInvestigation' , ' quarantine' , ' microsoftForms' ,
58- ' applicationAudit' , ' complianceSupervisionExchange' , ' customerKeyServiceEncryption' , ' officeNative' ,
59- ' mipAutoLabelSharePointItem' , ' mipAutoLabelSharePointPolicyLocation' , ' secureScore' ,
60- ' mipAutoLabelExchangeItem' , ' cortanaBriefing' , ' search' , ' wdatpAlerts' , ' powerPlatformAdminDlp' ,
61- ' powerPlatformAdminEnvironment' , ' mdatpAudit' , ' sensitivityLabelPolicyMatch' , ' sensitivityLabelAction' ,
62- ' sensitivityLabeledFileAction' , ' attackSim' , ' airManualInvestigation' , ' securityComplianceRBAC' , ' userTraining' ,
63- ' airAdminActionInvestigation' , ' mstic' , ' physicalBadgingSignal' , ' aipDiscover' , ' aipSensitivityLabelAction' ,
64- ' aipProtectionAction' , ' aipFileDeleted' , ' aipHeartBeat' , ' mcasAlerts' , ' onPremisesFileShareScannerDlp' ,
65- ' onPremisesSharePointScannerDlp' , ' exchangeSearch' , ' privacyDataMinimization' , ' labelAnalyticsAggregate' ,
66- ' myAnalyticsSettings' , ' securityComplianceUserChange' , ' complianceDLPExchangeClassification' ,
67- ' complianceDLPEndpoint' , ' mipExactDataMatch' , ' msdeResponseActions' , ' msdeGeneralSettings' , ' msdeIndicatorsSettings' ,
68- ' ms365DCustomDetection' , ' msdeRolesSettings' , ' mapgAlerts' , ' mapgPolicy' , ' mapgRemediation' ,
69- ' privacyRemediationAction' , ' privacyDigestEmail' , ' mipAutoLabelSimulationProgress' , ' mipAutoLabelSimulationCompletion' ,
70- ' mipAutoLabelProgressFeedback' , ' dlpSensitiveInformationType' , ' mipAutoLabelSimulationStatistics' ,
71- ' largeContentMetadata' , ' microsoft365Group' , ' cdpMlInferencingResult' , ' filteringMailMetadata' ,
72- ' cdpClassificationMailItem' , ' cdpClassificationDocument' , ' officeScriptsRunAction' , ' filteringPostMailDeliveryAction' ,
73- ' cdpUnifiedFeedback' , ' tenantAllowBlockList' , ' consumptionResource' , ' healthcareSignal' , ' dlpImportResult' ,
74- ' cdpCompliancePolicyExecution' , ' multiStageDisposition' , ' privacyDataMatch' , ' filteringDocMetadata' ,
75- ' filteringEmailFeatures' , ' powerBIDlp' , ' filteringUrlInfo' , ' filteringAttachmentInfo' , ' coreReportingSettings' ,
76- ' complianceConnector' , ' powerPlatformLockboxResourceAccessRequest' , ' powerPlatformLockboxResourceCommand' ,
77- ' cdpPredictiveCodingLabel' , ' cdpCompliancePolicyUserFeedback' , ' webpageActivityEndpoint' , ' omePortal' ,
78- ' cmImprovementActionChange' , ' filteringUrlClick' , ' mipLabelAnalyticsAuditRecord' , ' filteringEntityEvent' ,
79- ' filteringRuleHits' , ' filteringMailSubmission' , ' labelExplorer' , ' microsoftManagedServicePlatform' ,
80- ' powerPlatformServiceActivity' , ' scorePlatformGenericAuditRecord' , ' filteringTimeTravelDocMetadata' , ' alert' ,
81- ' alertStatus' , ' alertIncident' , ' incidentStatus' , ' case' , ' caseInvestigation' , ' recordsManagement' ,
82- ' privacyRemediation' , ' dataShareOperation' , ' cdpDlpSensitive' , ' ehrConnector' , ' filteringMailGradingResult' ,
83- ' microsoftTodoAudit' , ' timeTravelFilteringDocMetadata' , ' microsoftDefenderForIdentityAudit' ,
84- ' supervisoryReviewDayXInsight' , ' defenderExpertsforXDRAdmin' , ' cdpEdgeBlockedMessage' , ' hostedRpa' ,
85- ' cdpContentExplorerAggregateRecord' , ' cdpHygieneAttachmentInfo' , ' cdpHygieneSummary' , ' cdpPostMailDeliveryAction' ,
86- ' cdpEmailFeatures' , ' cdpHygieneUrlInfo' , ' cdpUrlClick' , ' cdpPackageManagerHygieneEvent' , ' filteringDocScan' ,
87- ' timeTravelFilteringDocScan' , ' mapgOnboard'
88- )
44+ StartTime = $StartTime
45+ EndTime = $EndTime
46+ ServiceFilters = $ServiceFilters
47+ TenantFilter = $Tenant.defaultDomainName
48+ ProcessLogs = $true
8949 }
9050 $NewSearch = New-CippAuditLogSearch @LogSearch
9151 Write-Information " Created audit log search $ ( $Tenant.defaultDomainName ) - $ ( $NewSearch.displayName ) "
0 commit comments